IPTABLES Apply Certain Rules to Certain Mac Addresses

weboy · 07-11-2010, 09:43 AM

Ok, so the firewall rules I am currently using are displayed below.

Code:

# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS

# ALLOW DHCP THROUGH THE FIREWALL
iptables -t nat -A PREROUTING -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j DNAT --to 255.255.255.255:67-68 # ALLOW DHCP
iptables -A FORWARD -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j ACCEPT # ALLOW DHCP


# ALLOW DNS TRAFFIc
iptables -A FORWARD -p udp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p udp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p tcp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE

# ALLOW HTTP TRAFFIC
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A REQUEST
iptables -A FORWARD -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A RESPONSE

# Redirect HTTP REQUESTS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80

Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed... As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.

Is there anyway of doing this? Or something similiar, or if it comes down to it, a way of doing this before the above iptables rules?

For those that are interested my setup atm is currently that of a Wireless Access Portal, the computer that these commands are being executed are between a wireless access point and my network... This computer has 2 NIC's bridged.

When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.

Internet
^
|
Gateway <--- Bridged Firewall <--- Wireless Access Point
^
|
Auth Server

Any assistance that can be provided is greatly appreciated!

Thanks,
Aaron

win32sux · 07-11-2010, 01:51 PM

Maybe insert a match for the MAC address at the top of a chain? Like:

Code:

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

To delete the rule just change the -I to a -D. Like:

Code:

iptables -t nat -D PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

Hangdog42 · 07-11-2010, 01:55 PM

Quote:

Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed...

The main problem with this approach is that iptables rules are evaluated in order and handled according to the first rule match. So if you want to exempt certain MAC addresses from these rules, you have to have the exemptions first.

Quote:

As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.

Unless I'm missing something about iptables, I don't think you can add a new rule and have it picked up without restarting the rule set.

Quote:

When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.

I'm not sure that iptables is the right tool for this job. It sounds more like you want to have two subnets, one that has authorized users and one that doesn't. Unfortunately, I'm not sure you can get one wireless access point to handle two subnets.

win32sux · 07-11-2010, 02:06 PM

Quote:

Originally Posted by Hangdog42

Unless I'm missing something about iptables, I don't think you can add a new rule and have it picked up without restarting the rule set.

You can (my example above does precisely that).

weboy · 07-11-2010, 09:00 PM

Quote:

Originally Posted by win32sux

Maybe insert a match for the MAC address at the top of a chain? Like:

Code:

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

To delete the rule just change the -I to a -D. Like:

Code:

iptables -t nat -D PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).

For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.

Code:

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT

Thanks again!

Hangdog42 · 07-12-2010, 07:00 AM

Quote:

Originally Posted by win32sux

You can (my example above does precisely that).

Thanks. As soon as I thought about how iptables actually works with its rules, I realized that my statement couldn't be more wrong.

weboy · 07-17-2010, 09:12 AM

Quote:

Originally Posted by weboy

That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).

For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.

Code:

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT

Thanks again!

Bump on this question.