LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-23-2006, 07:49 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Rep: Reputation: 30
Lightbulb mac address filtering


In my lan i have a router gateway and afther it a linuxbox 2eths being the firewall router than a switch and other servers.I have on the linuxfirewall strict rules to bypass spoofing ,don't let IANA addresses pass through eth0 ,and i'm sometimes getting packets from the router dropped.

Apr 24 01:15:46 argo DROP on eth0: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=115 TOS=00 PREC=0x00 TTL=64 ID=24870 DF PROTO=UDP SPT=2062 DPT=514 LEN=95

That 192.168.0.1 is my router.
i was asking me how, in the iso-osi stack ,addresses are handled, passing through the various levels ,cause the mac address above,half is my router the other part is visitor's mac.
Then i have started playing with subnetting the router bit, with a 192.168.0.1/255.255.255.253 which should do the trik , but is not!If i "play" with mac addresses and iptables instead?The people connecting to mylan will have all my router mac address so the risk is to stop or free entry for all traffic... it's getting difficult.An advice ?

ps.
hope my english was clear !!!

Last edited by gabsik; 04-24-2006 at 11:12 AM.
 
Old 04-24-2006, 11:22 AM   #2
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
So people connecting to my lan they all are going to have my router ip so any antispoof measure is pointless ,maybe subnetting 192.168.0.1 (router) 192.168.0.2 (linuxbox firewall eth0) like this 192.168.0.0/30 and an :
iptables -A INPUT -i eth0 -s ! 192.168.0.0/30 -j DROP
or
iptables -A INPUT -m mac --mac-source ! 00:0F:EA:91:04:08(router MAC) -j DROP

I hope this time you all understood!

Last edited by gabsik; 04-24-2006 at 11:23 AM.
 
Old 04-25-2006, 09:16 PM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
I'll put it in the simplest and clearest form,i have before my linuxfirewallbox a router 192.168.0.1 this in my firewall script to prevent spoofing :
# IANA private IPv4 address space
$IPT -t nat -A PREROUTING -i $INT -s 127.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 128.0.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 169.254.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 172.16.0.0/12 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 191.255.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.0.0.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.88.99.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.168.0.0/16 -j DROP <--------------------
$IPT -t nat -A PREROUTING -i $INT -s 198.18.0.0/15 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 224.0.0.0/4 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 240.0.0.0/4 -j DROP

I don't want to DROP my router.To not include 192.168.0.1 and 192.168.0.2 (eth0 firewall) in the DROP , if i do -A PREROUTING -i eth0 -s ! 192.168.0.0/30 -j DROP taking down 2 bits of 32(192.168.0.1,192.168.0.2) , does it make any sense ????
Second question people connecting to me are all going to have my router ip ????No isn't it!
 
Old 04-25-2006, 10:38 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If I'm understanding your question and network correctly, any packets that the router forwards in/out of the LAN are going to have the routers MAC as the source. Anytime the packets are forwarded the layer2 headers are stripped and replaced. So as you send a packet to google it looks something like this:
Code:
(S:YOUR_MAC,D:YOUR_ROUTER_MAC)<--->{S:YOUR_ROUTER_MAC,D:INT_ROUTER1)<---->(S:INT_ROUTER1,D:INT_ROUTER2)<--->(S:INT_ROUTER2,D:GOOG_NIC)
The IP addresses should stay the same from hop to hop, unless you have some kind of NAT going on (SNAT/DNAT). If the packet is indeed coming from outside the LAN, then the source IP should stay the same. When you send a reply back, *then* the router modifies the IP address (layer3) and strips off the layer2 MAC header.

If your linux box has a router in front of it with an IP address in IANA, then you don't want to filter that IANA address (at least not outright). Depending on the type of router (cameo communications?), it may or may not have it's own firewalling capability which you should determine. If so, configure it to block inbound traffic. If not, then you can block packets coming from the routers IP that have an abnormal TTL value (still forgeable). You can determing the proper TTL using tcpdump/ethereal.

Personally I would be suprised if the router would even forward external packets into the LAN if the IP was spoofed like that. You may want to setup a little test system with 2 machines on either side of the router and see if you can get spoofed packets through. If you can, I'd look for a new router.
 
Old 04-26-2006, 01:56 AM   #5
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
That's right as i said it in the first post.Mac address changes , ip stay the same.I wanted to start filtering based on mac addresses,but what you think of ! 192.168.0.0/30 -j DROP ?I'm testing this out.The router is a netgear,has linux inside kernel 2.4,an http daemon and router daemon i don't remember the name.i can configure it only by browser,no shell,and has a firewall offcourse,just DROP-ACCEPT .Many people told me what? 2 gateways?what's the point?Well!Sometimes become even tree when i plug the laptop.The linux box hasn't got pppd daemon,drivers to find,compatibility for drivers,firmwares,etc.The router has a pppd connects me automatically,and as i call it is a firewall hardware,my lan is safe.
 
Old 04-26-2006, 08:00 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ok. so if your router has a built-in firewall, make sure that is enabled and it should block all undesired traffic from the internet, including spoofed packets using the 192.168.0.1 address.

The problem with blocking that MAC using iptables on the linux box is that all packets (regardless of the source) that are forwarded by the netgear router are going to have *its* MAC address. For example, say I was to ping your box right now from the machine I'm on. When I send the ping packet, it will have the MAC address of my machines NIC. When it passes through my router, the MAC header is stripped and will now have the source MAC of my router. The header is then replaced again as it passes through each router on the internet. When it reaches your router it will not have my MAC address as the source, but rather the MAC of your ISPs router that is connected to you. As your router forwards the packet to you, the header is replaced for the last time and is given the source MAC of your router. So even though the packet came from me it has *your routers* MAC on it. So the problem is that all packets forwarded by your router will have it's MAC address. If you do:

mac-source ! 00:0F:EA:91:04:08(router MAC) -j DROP

that isn't going to drop anything, 'cause all packets are going to have that MAC if they pass through the router. So you can't do MAC filtering in your situation. You can simply block IPs that don't belong to the router and allow 192.168.0.1. You don't need to worry about allowing 192.168.0.2 because you should never see packets coming *in* the external interface with your own IP.
 
Old 04-27-2006, 06:44 AM   #7
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
So if i subnet the router(192.168.0.1) and the linux firewall box eth0(192.168.0.2) like this 00000011 192.168.0.0/2 or 192.168.0.0/30 ... please help !!!
 
Old 04-27-2006, 09:03 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Just add those 2 IPs as "whitelist" rules that use the ACCEPT target and the have a rule that drops the entire range:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.2 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j DROP

WRT to subnetting, you can probably use 192.168.0.0/30 (255.255.255.252), but I'm not sure why you want to do that. If you only have the router and the single host on the network, then there isn't any real need to break the LAN into small logical subnets in that way.
 
Old 04-27-2006, 09:23 AM   #9
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
You are right there is always a simpler way of doing things and i always take the hardest .... thanks !

Last edited by gabsik; 04-27-2006 at 10:46 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC address filtering in Slackware? houler Linux - Networking 9 05-12-2006 08:34 AM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 05:33 AM
Questions on DHCP Filtering via MAC address brainee28 Linux - Networking 1 02-03-2005 03:11 PM
DHCP Server MAC Address found, IP address not assigned wmburke Linux - Wireless Networking 17 11-17-2004 11:33 AM
MAC address filtering firewall? gigaah Linux - Security 5 06-07-2004 12:05 PM


All times are GMT -5. The time now is 03:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration