mac address verification
Hi!
I am running a firewall script using iptables on a fedora box,part of it is shown below; ******************************************************** /sbin/iptables --flush /sbin/iptables --table nat --flush /sbin/iptables --delete-chain /sbin/iptables --table nat --delete-chain /sbin/iptables -F -t nat /sbin/iptables -F -t mangle /sbin/iptables -X -t nat /sbin/iptables -X -t mangle /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/tcp_syncookies echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 8388608 > /proc/sys/net/core/wmem_max echo 8388608 > /proc/sys/net/core/rmem_max echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem #ALLOW USERS /sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT /sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT #DENY USERS /sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP /sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT ******************************************************** The problem is that the user in the denied (DROPED) changes his/her ip and mac address to an allowed ip+mac, he/she would gain access to the system.... Now I read some where about this sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source ! $MAC -j DROP I tried this but no dice... anyone has any pointers to how a lynx box could check for the real mac addresses???? not the spoofed one??? or anything.. would be gr8ful.. Regards, Sevensins |
As you know, MAC addresses are spoofable. You'll need to look at other mechanisms for allowing/denying access.
A pretty standard approach is to deny all and set up explicit allow rules for certain subnets via iptables. On top of that, what services are you providing? There may be application-level access control that you can implement. Finally, if your situation requires your packet filtering rules to allow large, untrusted subnets, there are applications that can help blacklist abusers (e.g. denyhosts, fail2ban, etc.). |
Your policies are set to DROP. That means any packets which don't match any rules will get sent to DROP regardless. So by only having ACCEPT rules for good MAC/IP combinations, you'll automatically be sending to DROP any bad MAC/IP combinations - without the need for any DROP rules. This is called whitelisting. And as has been said, this offers no protection against spoofing.
|
My Lynx box is providing internet access to a few users on lan using NAT and transparent squid.
i would be gr8ful if anyone could point me towards other mechanisms for allowing/denying access or should I use some other distro or some other firewall????? Regards, Sevensins |
Well, you could make Squid non-transparent and then set it to authenticate users (I believe it won't do authentication in transparent mode). Or you could leave it transparent and have your firewall do the authentication for all traffic with something like NuFW. You could even set up some some kind of authentication portal like they do on wireless hotspots, using something like Chillispot. You've got tons of choices, really. I don't see any reason why you must use another distro, but using a specialized firewall distro (instead of a generic distro like Fedora) might make things easier if you lack patience.
|
thanx a lot
|
All times are GMT -5. The time now is 12:27 PM. |