-   Linux - Security (
-   -   How to open port on iptables locked on a specific internal MAC address? (

blackman890 10-04-2007 01:12 PM

How to open port on iptables locked on a specific internal MAC address?
Hello there.

I am currently having a slight problem with our firewall. Basically "transmissions" are locked and all ports locked except for HTTP and HTTPS.

However one developers computer has to have access through the firewall on a specific port (the FTP port, 21).

However I need it so that only this specific computer to be able to get through the Firewall. Therefore I thought of opening a port open only for that computers specific MAC address.

However after some googling I haven't found the right command/rule for this. Can anyone tell me the rule/show me where I can find something like this?.

Thanks in advance. :)

Jonatan Nilsson

Just to clarify: Everything is locked so I thing I may also have to specifie OUT and IN.

koobi 10-05-2007 01:14 AM

i'm very new to iptables but from the manual:

--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for
packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

i believe this will work for you:

iptables -A INPUT -p tcp --dport ftp --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

win32sux 10-05-2007 02:16 AM

The syntax on that is missing the module. It's like:

-m mac --mac-source xx:xx:xx:xx:xx:xx
Also, if this is a gateway/firewall setup, in the sense that you want to give someone on the LAN access to an FTP server on the WAN, then you need to use the FORWARD chain.

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 21 \
-m state --state NEW -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

The returning packets will get picked-up by your RELATED,ESTABLISHED rule.

All times are GMT -5. The time now is 11:29 PM.