using iptables to reject mac address
Hello LQ,
I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick: iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT iptables -A INPUT -i eth0 -j REJECT |
Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .
But if either of those are not relevant it looks fine to me. |
This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?
|
Yep. Mac is layer 2 data so does not leave the subnet.
|
If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?
|
You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.
|
All times are GMT -5. The time now is 06:10 PM. |