IPTABLES rules using ipt_mac module
 

Dear Experts,

Pls receive my regards for you all.

I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system.
eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid.

I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet.

Below are the contents of my iptables file (I've ommited few entries for safty purpose).

# Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009
*filter
:INPUT ACCEPT [14274:3846787]
:FORWARD ACCEPT [4460:1241297]
:OUTPUT ACCEPT [16825:4872475]
-A INPUT -s 192.168.100.85 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.100.95 -p tcp -m tcp --dport 22 -j ACCEPT
#######################################
*nat
:PREROUTING ACCEPT [4513:335051]
:POSTROUTING ACCEPT [1619:154742]
:OUTPUT ACCEPT [1045:124778]
-A POSTROUTING -s 192.168.100.253 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.97 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.95 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.165 -o eth1 -j SNAT --to-source 192.168.1.2
COMMIT
#######################################

I checked using below command:
#lsmod | grep mac

The output shows nothing.

When I run modprobe command:
# modprobe ipt_mac
It bring back to prompt.

Its gives below output:
# lsmod |grep mac
ipt_mac 1985 0
ip_tables 17473 4 ipt_mac,iptable_nat,ipt_REJECT,iptable_filter

Then I put the below entry in /etc/sysconfig/iptables file in POSTROUTING section.
-A POSTROUTING -s 192.168.100.95 -m mac --mac-source 00-16-D3-BA-6F-C5 -o eth1 -j SNAT --to-source 192.168.1.2

After saving the file, I restarted the iptables service. But its give the below error messege.
# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 93 failed [FAILED]

I need your kind suggestions to resolve this issue. Thanks in advance.

Regards
Arunabh B.

I'm gonna take a look at your iptables rule in a few minutes (need to step outside for a little while), but in the meantime I would like to ask: You are aware that if they can change their IP then they can also change their MAC, right? Just making sure.

Sorry for the delay, a fifteen minute smoke break turned into a one-hour conversation with a friend.

Although your MAC address syntax is erroneous AFAIK (dashes instead of colons), your primary issue is that you're doing this in the POSTROUTING chain. At that point, the packet still hasn't been encapsulated in an Ethernet frame, so it won't have this MAC address you're looking for. Furthermore, when it does get encapsulated, it's going to have the MAC address of the NIC (eth1), not the originating host. Basically, if you want to match based on MAC address, you're going to need to stick to the chains which deal with inbound traffic, such as INPUT, FORWARD, or PREROUTING.

I would recommend handling this in the FORWARD chain like so:You wouldn't need to change your current SNAT rules (just remove the bogus one).

But like I said, it's easy to spoof a MAC, and you shouldn't rely on this for any kind of serious security.

ya ... u r right... but i know my users are not that expert to change mac... but it is also a point to think... do u have any fullproof solution for this....

There is no fool-proof solution, but I edited my previous post to add a suggestion.

[QUOTE=.......

Although your MAC address syntax is erroneous ....
[B]OOpsss... sorry... i'll change it.[/B]

Thanks for your support... I'll definitely deploy it...


I want to clear my one confusion...u mean to say that i can add these line in filter chain and let the other POSTROUTING SNAT there in the iptables file as it is ??


can u suggest some other alternative for this ?

Again thanks for all your kind support..

Yes. Those SNAT rules are still needed, in order to change the source address on the packets from those four hosts. No MAC checking is necessary at that point, since it already happened in the FORWARD chain and any packet with an IP/MAC mismatch would have been sent to DROP.

Maybe you could do this with Squid instead (as in, disable forwarding completely). In other words, require these four users to authenticate like everyone else and then have a special ACL for them which grants them unrestricted access.

Thanks WIN32SUX,


Sorry for replying so late. I was out of station. And thanks alot for all your support.
I'll try this. I've 2 more queries in line regarding above issue.

1) How to install modules of iptables (i.e. ipt_mac etc.). Is these modules can be found in rpm formats ? Where can i find these modules (OS media or internet )??

2) I want to block Bittorrent/utorrent clients in my LAN ? I read somewhere during searching solution for this issue that it need a layer7 module. Where i can find this module and how to install it ?? what is the command to block bittorent/utorrent clients ??