-   Linux - Networking (
-   -   restricting service based on mac address (

sixth_sense 06-14-2004 05:52 AM

restricting service based on mac address
Hi all,

I want some help regarding restricting any types of chatting on my lan to boost up my office productivity. some of our officer try to break up office rule and do chatting during office hour. So, i need a linux base protection against this.

All our requirement is to block all types of chatting software (yahoo, msn, web chat room, irc, and all third party software that allow ppl using yahoo,msn like intregrated protocol support and chat

We want it to restrict it based on hardware address, so we can allow some of our management Pc to do chatting expect all block. In a word, we need some register like mechanism - where we'll tell which PC is allowed / not allowed to do chat.

We want it on Redhat-9. And in an way that the redhat box also can act like a NAT server, cuz we've got only one public IP..and wantto share the connection on Lan.


peter_robb 06-14-2004 03:21 PM

I'll guess from your question that you're not too familiar with iptables at the moment...
MAC address is a standard match...

So I'll take a bold step and suggest you don't try using RH9 for this NAT/firewall box.
The product has been retired and there aren't any security patches from "up2date" any longer..
So you'll end up with exploitable holes in your setup in the near future..

If you want to try your hand at making one from scratch, I would recommend one of the other distributions.

To stop chatting through port 80 and 443 (http & https) I would recommend installing dansguardian which requires a proxy, eg squid
A lot of distributions have squid and dansguardian packages available..

Also, not many services exist above port 1024 that regular staff need access to, so a general block from ports 1024:65535 will keep them quiet, udp & tcp.
To allow specific people by MAC address, you can add a rule set such as

iptables -N MAC_allow
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow ..... etc
iptables -A MAC_allow -j REJECT --reject-with icmp-net-prohibited (to reject)
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1024:65535 -j MAC_allow (to select who gets checked..)
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 1024:65535 -j MAC_allow ( everybody in this case.)
(eth0 is local LAN, eth1 is Internet)

Once you have a working dansguardian filter, I would recommend leaving it in "logging only" or stealth mode for a week to test the transparency and to get a history of browsing before applying the block. This way you have some better information on who is doing what and where. You can make a smarter block with this.
To log higher ports, add
iptables -t nat -I POSTROUTING -o eth1 -p tcp --dport 1024:65535 -j LOG --log-level 6 --log=prefix "outgoing "
(to make this the first postrouting rule)

I also recommend installing webmin to give it all a nice secure GUI interface..

If you want to get something up and running fast, there are several products built to do all of these things.
Have a look at for a bootable/live-cd that you can add dansguardian to.
(Dansguardian isn't supposed to be used in a commercial environment without a license, and they recommend Smoothwall as a commercial bells and whistles product anyway..Links are on their site.)

ppuru 06-14-2004 10:47 PM

You can use squid proxy.

win32sux 09-28-2004 08:59 PM

sixth_sense, was your project successful??

All times are GMT -5. The time now is 11:03 PM.