I tried DHCP macfiltering is not enough to secure our networks and I think iptables will...
This is my concept:
I set a new laboratory(LAB) network.
My other network is connected to a LAB server running ubuntu 12.04 linux as a router.
And my LAB server is connected to the switch for LAN PCs.
here is the image: https://fbcdn-sphotos-g-a.akamaihd.n...85323098_n.jpg

What I want is:
1. I only want registered mac addresses to be able to have an internet.
2. I want those registered mac addresses connected only to the a specific network address for file sharing.
#. I want to know what are the steps should I follow.
Do I have to:
Flush all the iptables rules first then set default policies to DROP
or
set default policies after mac filtering.


I did some work related to these links.
http://www.linuxpakistan.net/forum/v...ic.php?p=35095
http://www.unix.com/security/160564-...c-address.html
https://www.linuxquestions.org/quest...tering-601505/

I am hoping for your help guys.
Thanks

OK, I am a bit confused, but I may have worked enough of it out to get you a bit closer.

there seems to be some specific, objective, security flaw that you are referring to here. I don't know what that is exactly. It might help if you told what you see as the flaw, or what 'exploit' you see as not being prevented.
The diagram doesn't really tell much unless I assume that the connection off to the left goes to some sort of device that connects to the internet. Is that an assumption that I can safely make?

That's not the first question that you should be asking, but i) can work, I'm not sure what happens if you try to modify the policies of an existing chain, but it probably should work. That said

• policies only exist for the pre-defined chains, and not user defined ones
• that should give the clue that policies are just a convenience and are never necessary to do what you want (perhaps, they are only sometimes harmful, though)
• a policy of DROP is equivalent to having a last rule in the chain set to 'drop' all packets that come its way (and a policy of ACCEPT, for example - given that some people will (inaccurately) tell you that a policy of accept is always unsafe, you should think about what this really means)

The first thing that you should do, should ask yourself after this is ask "has this produced the set of iptables rules that I imagined it would?". I can't tell, for several reasons

• I'm not sure what the "..."s imply
• I don't know whether the "..."s are in the do loop
• I don't know the format of the file
• I don't know what set of rules has been produced
• I'm not exactly sure what you intended

You have to information to deal with every one of those questions. So, I'm going to say

Is wrong, on the luck front, because some technique and organisation are the parts that are missing, not luck. Look at the set of iptables rules produced and try to come to some sort of conclusion about what happened. If necessary, modify your bash script. Do not take a complete guess as to what happened - you can actually look and see, and that way be sure.

Should have asked: Is this equivalent to saying that you want devices which have mac addresses not in the file to have absolutely no access to anything?

Thanks for your response, salasi.

When I try DHCP Mac filtering. Setting up the network to obtain an automatic IP address, works. But still can have access to the internet or other networks through configuring manually its IPadd, default gateway and DNS. Howcome. I wonder why.

Yes, your assumption is right. That the connection off to the left connects to the internet and other LAB networks.

Those "...", just replace FORWARD to INPUT, OUTPUT. I need more understanding in using iptables. Simply that I can understand.

Yes, absolutely no access to anything.

I came up with this rule on my iptables.

Then what happen is still there is no connection.

When I set the iptables rule: All chains (INPUT, OUTPUT, FORWARD) to ACCEPT
and then block specific mac address. I add this rule.

iptables -I FORWARD -m mac --mac-source aa:aa:aa:aa:aa:aa -j DROP

it works!

but when I set the default FORWARD chain to DROP and enter this code:

iptables -I FORWARD -m mac --mac-source aa:aa:aa:aa:aa:aa -j ALLOW

won't work.

I need help here.

I'm having the same issue.

And seems mac filter isn't work for internet as this page mentioned about.

# Set rule based upon MAC address, doesn’t work on Internet, LAN only
iptables -A [CHAIN] -s [IP ADDRESS] -m mac –mac-source [MAC] -j [ACTION]

Yup I'm having the same issues. MAC filtering doesn't seem to work. I produce the following tables in the FORWARD chain.

Using iptables logic, the client with the above mac address should have unrestricted access. All other traffic packets should be dropped.

But for some reason, only some packets get passed through But most get dropped. The client has no internet access.
Can anyone shed some light on this issue? If I do this on the INPUT chain, all traffic to the router gets dropped even though they should be accepted.

There are tones of examples online telling me this SHOULD work. But it doesn't.
I'm running DD-WRT. I've tried too many builds to count. The problem persists across all DD-WRT builds.

I'd appreciate any help at all. Cheers!

Refer to the following thread for my explanation of how I got this to work:

http://www.linuxquestions.org/questi...ng-4175557211/