LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-09-2007, 06:46 PM   #1
Sevensins
LQ Newbie
 
Registered: Nov 2004
Location: Pakistan
Posts: 24

Rep: Reputation: 15
mac address verification


Hi!
I am running a firewall script using iptables on a fedora box,part of it is shown below;

********************************************************
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem

#ALLOW USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT

#DENY USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
********************************************************

The problem is that the user in the denied (DROPED) changes his/her ip and mac address to an allowed ip+mac, he/she would gain access to the system.... Now I read some where about this

sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source ! $MAC -j DROP

I tried this but no dice... anyone has any pointers to how a lynx box could check for the real mac addresses???? not the spoofed one??? or anything.. would be gr8ful..

Regards,
Sevensins
 
Old 11-09-2007, 07:15 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
As you know, MAC addresses are spoofable. You'll need to look at other mechanisms for allowing/denying access.

A pretty standard approach is to deny all and set up explicit allow rules for certain subnets via iptables.

On top of that, what services are you providing? There may be application-level access control that you can implement.

Finally, if your situation requires your packet filtering rules to allow large, untrusted subnets, there are applications that can help blacklist abusers (e.g. denyhosts, fail2ban, etc.).
 
Old 11-09-2007, 08:07 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Your policies are set to DROP. That means any packets which don't match any rules will get sent to DROP regardless. So by only having ACCEPT rules for good MAC/IP combinations, you'll automatically be sending to DROP any bad MAC/IP combinations - without the need for any DROP rules. This is called whitelisting. And as has been said, this offers no protection against spoofing.

Last edited by win32sux; 11-09-2007 at 08:14 PM.
 
Old 11-10-2007, 10:54 AM   #4
Sevensins
LQ Newbie
 
Registered: Nov 2004
Location: Pakistan
Posts: 24

Original Poster
Rep: Reputation: 15
My Lynx box is providing internet access to a few users on lan using NAT and transparent squid.
i would be gr8ful if anyone could point me towards other mechanisms for allowing/denying access or should I use some other distro or some other firewall?????

Regards,
Sevensins

Last edited by Sevensins; 11-10-2007 at 10:55 AM.
 
Old 11-10-2007, 05:00 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Well, you could make Squid non-transparent and then set it to authenticate users (I believe it won't do authentication in transparent mode). Or you could leave it transparent and have your firewall do the authentication for all traffic with something like NuFW. You could even set up some some kind of authentication portal like they do on wireless hotspots, using something like Chillispot. You've got tons of choices, really. I don't see any reason why you must use another distro, but using a specialized firewall distro (instead of a generic distro like Fedora) might make things easier if you lack patience.

Last edited by win32sux; 11-10-2007 at 05:15 PM.
 
Old 11-11-2007, 12:59 PM   #6
Sevensins
LQ Newbie
 
Registered: Nov 2004
Location: Pakistan
Posts: 24

Original Poster
Rep: Reputation: 15
thanx a lot
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Single DHCP server ,to provide the ip address to a MAC address in two different subne alix123 Linux - Software 5 05-08-2007 11:16 PM
How to find an IP address from the MAC address of a remote machine ? jitz Linux - General 3 01-03-2006 07:55 AM
Mac Address Verification Sevensins Linux - Security 7 05-17-2005 06:42 AM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
DHCP Server MAC Address found, IP address not assigned wmburke Linux - Wireless Networking 17 11-17-2004 10:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration