LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2009, 10:30 PM   #1
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Rep: Reputation: 18
Help w mac filtering


Hello.

I currently have a router (already mentioned this on a previous post) with Debian Etch blocking ports and some services. Now, I would like to cut users off by doing mac filtering. I would like to have a list of macs that will be allowed to browse the internet.

I believe if I do:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source xxxxxxxxxx -j ACCEPT

iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -j ACCEPT

will let that user to do whatever but, it won't block traffic to the services.

I only want allowed macs use certain traffic, all others nothing.

How can I accomplish this.

Thanks in advanced for your help.
 
Old 03-20-2009, 12:15 PM   #2
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
I was doing some reading and thought of an option:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

Would this work?
 
Old 03-23-2009, 07:01 AM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
I haven't messed w/ iptables for couple of years, but your approach sounds logical. I can't critique your syntax.
 
Old 03-23-2009, 07:07 AM   #4
reptiler
Member
 
Registered: Mar 2009
Location: Hong Kong
Distribution: Fedora
Posts: 184

Rep: Reputation: 41
Quote:
Originally Posted by landysaccount View Post
I believe if I do:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source xxxxxxxxxx -j ACCEPT

iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -j ACCEPT

will let that user to do whatever but, it won't block traffic to the services.
Right. As the first rule matches the MAC-address it will accept the package, the next rule doesn't apply to that package anymore.
Thus a user with the given MAC-address will be allowed full access through the box.

Personally I think I'd work with package-marking.
Code:
iptables -A FORWARD -t mangle -m mac --mac-source ... -j MARK --set-mark 1
iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -m mark --mark 1 -j ACCEPT
This should be okay, although I haven't played with marked packages for a while.
 
Old 03-23-2009, 09:17 AM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
You do mean "packet" not "package", don't you?
 
Old 03-23-2009, 11:36 AM   #6
reptiler
Member
 
Registered: Mar 2009
Location: Hong Kong
Distribution: Fedora
Posts: 184

Rep: Reputation: 41
Quote:
Originally Posted by archtoad6 View Post
You do mean "packet" not "package", don't you?
Yeah, but honestly, does it really matter? I guess everybody knows what I'm talking about.
 
Old 03-24-2009, 04:50 PM   #7
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
I've never worked with marking packets but, I guess I'll read about it and maybe test it.

I haven't test:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

But, as archtoad6 mentioned, it sounds logical. I'll give it a try later and will keep you posted.
 
Old 03-24-2009, 08:17 PM   #8
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by landysaccount View Post
I've never worked with marking packets but, I guess I'll read about it and maybe test it.

I haven't test:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

But, as archtoad6 mentioned, it sounds logical. I'll give it a try later and will keep you posted.
Ok. I have tested the code above and it works. Is blocks all the macs except for those that pass through the check_macs chain.
 
Old 03-26-2009, 07:35 AM   #9
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
Good. Thanks for giving the answer -- it may help someone else.
 
Old 03-27-2009, 11:03 PM   #10
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
Thumbs up

Quote:
Originally Posted by archtoad6 View Post
Good. Thanks for giving the answer -- it may help someone else.
Please note that the above works only on a router that is directly connected to all the clients' machines through a switch. If the packet sent from the client passes through a router, AP, or any other device that has an ip/mac this will not work since, mac addresses are not routable. In this case the last device's mac will appear at the router even if is in the same subnet. To work around this just use dhcp to assign a static ip to the mac and filter by ip address. This will always work:

iptables -A ip_check -s $ip -j RETURN

iptables -A FORWARD -j ip_check

I did this and is working flawless.

Hope it help others
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mac Filtering. sadiqfazal Linux - Server 6 10-29-2008 05:00 AM
iptables mac filtering Ventrix Linux - Security 1 11-21-2007 08:29 PM
MAC-Level Filtering Siva4Linux Linux - Wireless Networking 5 10-17-2006 03:52 AM
MAC Filtering eggoz Linux - Networking 1 06-11-2006 02:11 PM
MAC Filtering eggoz Linux - Networking 3 06-06-2006 03:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration