Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 06-14-2004, 05:52 AM   #1
Registered: Mar 2004
Distribution: RedHat
Posts: 99

Rep: Reputation: 15
Question restricting service based on mac address

Hi all,

I want some help regarding restricting any types of chatting on my lan to boost up my office productivity. some of our officer try to break up office rule and do chatting during office hour. So, i need a linux base protection against this.

All our requirement is to block all types of chatting software (yahoo, msn, web chat room, irc, and all third party software that allow ppl using yahoo,msn like intregrated protocol support and chat

We want it to restrict it based on hardware address, so we can allow some of our management Pc to do chatting expect all block. In a word, we need some register like mechanism - where we'll tell which PC is allowed / not allowed to do chat.

We want it on Redhat-9. And in an way that the redhat box also can act like a NAT server, cuz we've got only one public IP..and wantto share the connection on Lan.


Last edited by sixth_sense; 06-14-2004 at 05:58 AM.
Old 06-14-2004, 03:21 PM   #2
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
I'll guess from your question that you're not too familiar with iptables at the moment...
MAC address is a standard match...

So I'll take a bold step and suggest you don't try using RH9 for this NAT/firewall box.
The product has been retired and there aren't any security patches from "up2date" any longer..
So you'll end up with exploitable holes in your setup in the near future..

If you want to try your hand at making one from scratch, I would recommend one of the other distributions.

To stop chatting through port 80 and 443 (http & https) I would recommend installing dansguardian which requires a proxy, eg squid
A lot of distributions have squid and dansguardian packages available..

Also, not many services exist above port 1024 that regular staff need access to, so a general block from ports 1024:65535 will keep them quiet, udp & tcp.
To allow specific people by MAC address, you can add a rule set such as

iptables -N MAC_allow
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow ..... etc
iptables -A MAC_allow -j REJECT --reject-with icmp-net-prohibited (to reject)
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1024:65535 -j MAC_allow (to select who gets checked..)
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 1024:65535 -j MAC_allow ( everybody in this case.)
(eth0 is local LAN, eth1 is Internet)

Once you have a working dansguardian filter, I would recommend leaving it in "logging only" or stealth mode for a week to test the transparency and to get a history of browsing before applying the block. This way you have some better information on who is doing what and where. You can make a smarter block with this.
To log higher ports, add
iptables -t nat -I POSTROUTING -o eth1 -p tcp --dport 1024:65535 -j LOG --log-level 6 --log=prefix "outgoing "
(to make this the first postrouting rule)

I also recommend installing webmin to give it all a nice secure GUI interface..

If you want to get something up and running fast, there are several products built to do all of these things.
Have a look at for a bootable/live-cd that you can add dansguardian to.
(Dansguardian isn't supposed to be used in a commercial environment without a license, and they recommend Smoothwall as a commercial bells and whistles product anyway..Links are on their site.)

Last edited by peter_robb; 06-14-2004 at 03:24 PM.
Old 06-14-2004, 10:47 PM   #3
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
You can use squid proxy.
Old 09-28-2004, 08:59 PM   #4
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
sixth_sense, was your project successful??


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux based gateway for time-based wireless service. TotalDefiance Linux - Software 0 10-03-2005 06:06 PM
MAC Address based hostname hogg85 Linux - Networking 2 06-13-2005 12:51 PM
Can I deny access based on mac or IP address with shorewall? enigma_0Z Linux - Networking 1 06-02-2005 04:15 PM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
Get IP based on Mac address sunmiewon Linux - Networking 4 01-31-2004 06:18 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration