Hi All,

Am using Linux Voyage Version 0.7 on a Soekris Net5501 box in my project as the first device on my LAN.
The box is configured as a DHCP, DNS and Web server in addition to the other few services.

Client computers access content of this local server and the internet through a wireless access point connect to Ethernet port 2 or 3 of the soekris box and the two ports are bridged.

My problem is that I would like to filter access to the internet and local content by mac address using the iptables or other means necessary. In short deny DHCP requests from certain clients thereby effectively refusing them access to the LAN at all.

I know that this could be done on the access point but I'd like to add and remove clients remotely, in which case I can not if that is implemented on the access point.

Can someone please tell me how I can do this? And if this can not be done with IP tables, is there a way of denying access to some client computers on.

Many thanks

All things iptables are detailed here. That said

• it isn't a five minute read; you probably wouldn't expect it to be, I suppose
• I don't really like mac filtering, given that MAC addresses can be falsified and will probably go wrong when you replace some hardware with new versions, but if it is the only way to do what you want...

1 members found this post helpful.

Thanks Salasi, yes indeed not a 5 minute read but I have found it very useful, will try it on the test server at home before I can implement it.

In all of the locations where I might want to do this mac kind of filtering,all the client computers use wireless for local and internet access, likely that someone shared there wireless key and allowed unauthorized personnel on the network.
The default rule in the IP Tables is ACCEPT so I would like to drop specified mac addresses.

Salasi, what would you suggest as the solution for this kind of the situation given that the mac address can be "falsified"?

Many thanks again

What the default rule (you mean the policy, I think) is or is not seems irrelevant:

• Policies only apply to inbuilt chains; 'home made' chains don't even have a policy that you can set
• A policy can be functionally 'emulated' by doing the same thing in the final instructions in the chain, so you can make any chain behave as if it had a policy of drop or accept by appropriate final instructions
• (there is an argument that using the 'final instruction' approach is better than using policies because, if you make a mistake adding rules a policy of drop might lock you out of your own server, where, if you have the policy as accept, but are 'emulating' drop wiping out the rules in that chain may leave you with access)
• whatever, you still need some way to distinguish between 'packets that are allowed' and 'packets that are not allowed' and once you can do that you can do anything that you want with those packets

so you can make a chain behave in any way you want

Hmmm, well if you can't trust what should be your security measures... You are saying that you have a wireless network, which should be secured by wep/wpa/whatever (hope it isn't actually wep), but you are afraid that the wpa key has leaked. there is no other user logon to get to resources (this sounds doubtful to me...yes, it could work if it is only, eg, web access, that is being granted but if people are getting at their stored data on a server, for example, then that would raise big security concerns) then it would be difficult.

But bear in mind that someone competent (you may think that's a non-existent risk, and that's an estimation too easily made if you ever interact with users ...)

• can change the mac address on their network interface quite easily
• can snoop mac addresses, so it may not even be necessary for the legitimate owner of the mac address to do anything wrong for the usable mac to leak to someone who wants to get it

1 members found this post helpful.