Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to harden access to custom-build router (Alix motherboard) a little bit more by whitelisting MAC address. This feature is quite common in consumer routers or embedded systems (e.g. openwrt, pfsense).
As far as I read, there are two ways to accomplish this:
1) Iptables rules
2) Static ARP table
Although I can easily block pc's in iptables, it seems more logical to block unwanted connections at L2 and leave packet processing logic to iptables. It'll also reduce and simplify iptables rules.
In this particular case I want to harden access on wireless interface at home (actually not so many iptables rules). However I'd like to try same setup at similar router for small network (about 150 users) with more complex firewall rules and whitelisting MAC also on ethernet. I though simplifying rules could speed up packet processing, therefore better network throughput.
So, I'd like to ask if it's worth it at all? Is there any other gains than simpler iptables rules (and on the other hand a little bit complex configuration)?
And just for the record: I know that this can be easily bypassed by MAC spoofing, but most of users won't even try that and those who will, are capable enough to figure out right MAC and IP address and they will find a way around network restrictions anyway.
You can easily use a static arp to a mac of some 0.0.0.0 or localhost sort of ip.
If I understood it right, with static arp only defined combination of mac/ip are allowed to communicate with that particular NIC. Therefore it should be sufficient to define only selected few MACs. Is that correct?
Quote:
Originally Posted by jefro
The mac would have to be local wouldn't it?
What exactly do you mean by local? Locally known? I want to be able to block new unknown devices.
Let's assume I get a device that has a web based interface of 10.10.1.1 but my lan is on 192.168.1.x. Normally I wouldn't have that in my subnet. So, I'd make a static arp entry for the device. I use it's mac address and I use a 192.168.1.123 entry in arp table. Now when I enter 192.168.123 in browser I can access the device. This is an example of how to allow it in my lan. To block it by any means a static arp entry for the device's mac address would be set to 0.0.0.0
Let's take another example. command arp -a would show some static and dynamic entries. Dynamic only last a short while. Now ping google. You might be tempted to think that when ping is done a dynamic entry for google would be there but it won't because arp is mac in the local subnet only.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.