IPTABLES Apply Certain Rules to Certain Mac Addresses
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTABLES Apply Certain Rules to Certain Mac Addresses
Ok, so the firewall rules I am currently using are displayed below.
Code:
# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS
# ALLOW DHCP THROUGH THE FIREWALL
iptables -t nat -A PREROUTING -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j DNAT --to 255.255.255.255:67-68 # ALLOW DHCP
iptables -A FORWARD -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j ACCEPT # ALLOW DHCP
# ALLOW DNS TRAFFIc
iptables -A FORWARD -p udp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p udp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p tcp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
# ALLOW HTTP TRAFFIC
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A REQUEST
iptables -A FORWARD -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A RESPONSE
# Redirect HTTP REQUESTS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80
Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed... As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.
Is there anyway of doing this? Or something similiar, or if it comes down to it, a way of doing this before the above iptables rules?
For those that are interested my setup atm is currently that of a Wireless Access Portal, the computer that these commands are being executed are between a wireless access point and my network... This computer has 2 NIC's bridged.
When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.
Internet
^
|
Gateway <--- Bridged Firewall <--- Wireless Access Point
^
|
Auth Server
Any assistance that can be provided is greatly appreciated!
Thanks,
Aaron
Last edited by weboy; 07-11-2010 at 09:44 AM.
Reason: Fix visual of network
Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed...
The main problem with this approach is that iptables rules are evaluated in order and handled according to the first rule match. So if you want to exempt certain MAC addresses from these rules, you have to have the exemptions first.
Quote:
As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.
Unless I'm missing something about iptables, I don't think you can add a new rule and have it picked up without restarting the rule set.
Quote:
When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.
I'm not sure that iptables is the right tool for this job. It sounds more like you want to have two subnets, one that has authorized users and one that doesn't. Unfortunately, I'm not sure you can get one wireless access point to handle two subnets.
That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).
For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.
That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).
For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.