LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   using iptables to reject mac address (http://www.linuxquestions.org/questions/linux-security-4/using-iptables-to-reject-mac-address-897644/)

wademac 08-16-2011 11:38 AM

using iptables to reject mac address
 
Hello LQ,

I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick:

iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT

acid_kewpie 08-16-2011 11:45 AM

Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .

But if either of those are not relevant it looks fine to me.

wademac 08-16-2011 11:55 AM

This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?

acid_kewpie 08-16-2011 12:00 PM

Yep. Mac is layer 2 data so does not leave the subnet.

wademac 08-16-2011 12:11 PM

If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?

acid_kewpie 08-17-2011 02:20 AM

You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.


All times are GMT -5. The time now is 08:33 PM.