LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-08-2014, 12:24 PM   #1
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo, FreeBSD
Posts: 176

Rep: Reputation: 28
Block unwanted MAC address with static arp table


I'm trying to harden access to custom-build router (Alix motherboard) a little bit more by whitelisting MAC address. This feature is quite common in consumer routers or embedded systems (e.g. openwrt, pfsense).

As far as I read, there are two ways to accomplish this:

1) Iptables rules
2) Static ARP table

Although I can easily block pc's in iptables, it seems more logical to block unwanted connections at L2 and leave packet processing logic to iptables. It'll also reduce and simplify iptables rules.

In this particular case I want to harden access on wireless interface at home (actually not so many iptables rules). However I'd like to try same setup at similar router for small network (about 150 users) with more complex firewall rules and whitelisting MAC also on ethernet. I though simplifying rules could speed up packet processing, therefore better network throughput.

So, I'd like to ask if it's worth it at all? Is there any other gains than simpler iptables rules (and on the other hand a little bit complex configuration)?

And just for the record: I know that this can be easily bypassed by MAC spoofing, but most of users won't even try that and those who will, are capable enough to figure out right MAC and IP address and they will find a way around network restrictions anyway.
 
Old 10-08-2014, 03:29 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,130

Rep: Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639
You can easily use a static arp to a mac of some 0.0.0.0 or localhost sort of ip.

The mac would have to be local wouldn't it?
 
Old 10-12-2014, 02:35 PM   #3
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo, FreeBSD
Posts: 176

Original Poster
Rep: Reputation: 28
Quote:
Originally Posted by jefro View Post
You can easily use a static arp to a mac of some 0.0.0.0 or localhost sort of ip.
If I understood it right, with static arp only defined combination of mac/ip are allowed to communicate with that particular NIC. Therefore it should be sufficient to define only selected few MACs. Is that correct?

Quote:
Originally Posted by jefro View Post
The mac would have to be local wouldn't it?
What exactly do you mean by local? Locally known? I want to be able to block new unknown devices.
 
Old 10-13-2014, 03:39 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,130

Rep: Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639Reputation: 3639
Let me say this then.

Let's assume I get a device that has a web based interface of 10.10.1.1 but my lan is on 192.168.1.x. Normally I wouldn't have that in my subnet. So, I'd make a static arp entry for the device. I use it's mac address and I use a 192.168.1.123 entry in arp table. Now when I enter 192.168.123 in browser I can access the device. This is an example of how to allow it in my lan. To block it by any means a static arp entry for the device's mac address would be set to 0.0.0.0

Let's take another example. command arp -a would show some static and dynamic entries. Dynamic only last a short while. Now ping google. You might be tempted to think that when ping is done a dynamic entry for google would be there but it won't because arp is mac in the local subnet only.

Mac addresses usually get stripped over routing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] g-arp not updating mac address madix Linux - Networking 6 03-26-2013 12:16 PM
same MAC address for different IP addresses in ARP response VinodVandkar Linux - Networking 5 01-25-2013 04:32 PM
using arp for converting ip address to mac address in kernel module programing in c karan2386 Linux - Kernel 1 03-31-2012 05:02 AM
[SOLVED] ARP does not resolve MAC address of hosts on the same subnet chenbo Linux - Networking 1 07-26-2011 10:12 PM
Changing my IP Address and Modifying the ARP table using c++ JaseyJaseJase Programming 4 09-08-2008 12:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration