LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-16-2011, 11:38 AM   #1
wademac
Member
 
Registered: Apr 2008
Posts: 37

Rep: Reputation: 15
using iptables to reject mac address


Hello LQ,

I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick:

iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT
 
Old 08-16-2011, 11:45 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .

But if either of those are not relevant it looks fine to me.
 
Old 08-16-2011, 11:55 AM   #3
wademac
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?
 
Old 08-16-2011, 12:00 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Yep. Mac is layer 2 data so does not leave the subnet.
 
Old 08-16-2011, 12:11 PM   #5
wademac
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?
 
Old 08-17-2011, 02:20 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.
 
  


Reply

Tags
firewall, iptables, mac address


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to reject connections which come from unknown mac address? Winanjaya Linux - Security 6 04-05-2009 09:40 AM
iptables + mac address filtering Roko Linux - Networking 1 09-10-2008 07:38 AM
MAC Address on IPTables boyfren Linux - Networking 9 02-21-2007 08:46 PM
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 05:57 AM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 08:36 PM


All times are GMT -5. The time now is 01:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration