Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I tried DHCP macfiltering is not enough to secure our networks and I think iptables will...
This is my concept:
I set a new laboratory(LAB) network.
My other network is connected to a LAB server running ubuntu 12.04 linux as a router.
And my LAB server is connected to the switch for LAN PCs.
here is the image: https://fbcdn-sphotos-g-a.akamaihd.n...85323098_n.jpg
What I want is:
1. I only want registered mac addresses to be able to have an internet.
2. I want those registered mac addresses connected only to the a specific network address for file sharing.
#. I want to know what are the steps should I follow.
Do I have to:
Flush all the iptables rules first then set default policies to DROP
or
set default policies after mac filtering.
#Flusing All IPTABLES Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Setting Default Policies To DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#MAC Address Filtering
#list of mac addresses save to a mac_addresses_file
cat mac_addresses_file | while read macfile
do
iptables -A FORWARD -i eth1 -o eth0 -m mac --mac-source $macfile -m state --state NEW -j ACCEPT
...
...
...
#I don't really get what I am doing when edit some of the source code and tested it, won't work. (I just don't have the luck.)
#Set default policies to DROP
OK, I am a bit confused, but I may have worked enough of it out to get you a bit closer.
Quote:
Originally Posted by rjdbarsal
I tried DHCP macfiltering is not enough to secure our networks and I think iptables will...
there seems to be some specific, objective, security flaw that you are referring to here. I don't know what that is exactly. It might help if you told what you see as the flaw, or what 'exploit' you see as not being prevented.
The diagram doesn't really tell much unless I assume that the connection off to the left goes to some sort of device that connects to the internet. Is that an assumption that I can safely make?
Quote:
Do I have to:
i) Flush all the iptables rules first then set default policies to DROP
or
ii) set default policies after mac filtering.
That's not the first question that you should be asking, but i) can work, I'm not sure what happens if you try to modify the policies of an existing chain, but it probably should work. That said
policies only exist for the pre-defined chains, and not user defined ones
that should give the clue that policies are just a convenience and are never necessary to do what you want (perhaps, they are only sometimes harmful, though)
a policy of DROP is equivalent to having a last rule in the chain set to 'drop' all packets that come its way (and a policy of ACCEPT, for example - given that some people will (inaccurately) tell you that a policy of accept is always unsafe, you should think about what this really means)
Quote:
Code:
#Flusing All IPTABLES Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Setting Default Policies To DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#MAC Address Filtering
#list of mac addresses save to a mac_addresses_file
cat mac_addresses_file | while read macfile
do
iptables -A FORWARD -i eth1 -o eth0 -m mac --mac-source $macfile -m state --state NEW -j ACCEPT
...
...
...
#I don't really get what I am doing when edit some of the source code and tested it, won't work. (I just don't have the luck.)
#Set default policies to DROP
The first thing that you should do, should ask yourself after this is ask "has this produced the set of iptables rules that I imagined it would?". I can't tell, for several reasons
I'm not sure what the "..."s imply
I don't know whether the "..."s are in the do loop
I don't know the format of the file
I don't know what set of rules has been produced
I'm not exactly sure what you intended
You have to information to deal with every one of those questions. So, I'm going to say
Quote:
and tested it, won't work. (I just don't have the luck.)
Is wrong, on the luck front, because some technique and organisation are the parts that are missing, not luck. Look at the set of iptables rules produced and try to come to some sort of conclusion about what happened. If necessary, modify your bash script. Do not take a complete guess as to what happened - you can actually look and see, and that way be sure.
1. I only want registered mac addresses to be able to have an internet.
2. I want those registered mac addresses connected only to the a specific network address for file sharing.
Should have asked: Is this equivalent to saying that you want devices which have mac addresses not in the file to have absolutely no access to anything?
there seems to be some specific, objective, security flaw that you are referring to here. I don't know what that is exactly. It might help if you told what you see as the flaw, or what 'exploit' you see as not being prevented.
When I try DHCP Mac filtering. Setting up the network to obtain an automatic IP address, works. But still can have access to the internet or other networks through configuring manually its IPadd, default gateway and DNS. Howcome. I wonder why.
Quote:
The diagram doesn't really tell much unless I assume that the connection off to the left goes to some sort of device that connects to the internet. Is that an assumption that I can safely make?
Yes, your assumption is right. That the connection off to the left connects to the internet and other LAB networks.
Those "...", just replace FORWARD to INPUT, OUTPUT. I need more understanding in using iptables. Simply that I can understand.
Quote:
Should have asked: Is this equivalent to saying that you want devices which have mac addresses not in the file to have absolutely no access to anything?
#set by default which the PC don't have access outside the firewall/internet.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
#MAC filtering
#one of my PC do have a HWAddress sample(aa:aa:aa:aa:aa:aa) and I want it to have an internet/network access.
iptables -A FORWARD -m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT
Yup I'm having the same issues. MAC filtering doesn't seem to work. I produce the following tables in the FORWARD chain.
Code:
Chain FORWARD (policy ACCEPT 322 packets, 181K bytes)
num pkts bytes target prot opt in out source destination
1 342 21034 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC F8:1E:DF:E6:DB:20
2 490 28916 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Using iptables logic, the client with the above mac address should have unrestricted access. All other traffic packets should be dropped.
But for some reason, only some packets get passed through But most get dropped. The client has no internet access.
Can anyone shed some light on this issue? If I do this on the INPUT chain, all traffic to the router gets dropped even though they should be accepted.
There are tones of examples online telling me this SHOULD work. But it doesn't.
I'm running DD-WRT. I've tried too many builds to count. The problem persists across all DD-WRT builds.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.