IPTABLES rules using ipt_mac module
Dear Experts,
Pls receive my regards for you all. I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system. eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid. I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet. Below are the contents of my iptables file (I've ommited few entries for safty purpose). # Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009 *filter :INPUT ACCEPT [14274:3846787] :FORWARD ACCEPT [4460:1241297] :OUTPUT ACCEPT [16825:4872475] -A INPUT -s 192.168.100.85 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.100.95 -p tcp -m tcp --dport 22 -j ACCEPT ####################################### *nat :PREROUTING ACCEPT [4513:335051] :POSTROUTING ACCEPT [1619:154742] :OUTPUT ACCEPT [1045:124778] -A POSTROUTING -s 192.168.100.253 -o eth1 -j SNAT --to-source 192.168.1.2 -A POSTROUTING -s 192.168.100.97 -o eth1 -j SNAT --to-source 192.168.1.2 -A POSTROUTING -s 192.168.100.95 -o eth1 -j SNAT --to-source 192.168.1.2 -A POSTROUTING -s 192.168.100.165 -o eth1 -j SNAT --to-source 192.168.1.2 COMMIT ####################################### I checked using below command: #lsmod | grep mac The output shows nothing. When I run modprobe command: # modprobe ipt_mac It bring back to prompt. Its gives below output: # lsmod |grep mac ipt_mac 1985 0 ip_tables 17473 4 ipt_mac,iptable_nat,ipt_REJECT,iptable_filter Then I put the below entry in /etc/sysconfig/iptables file in POSTROUTING section. -A POSTROUTING -s 192.168.100.95 -m mac --mac-source 00-16-D3-BA-6F-C5 -o eth1 -j SNAT --to-source 192.168.1.2 After saving the file, I restarted the iptables service. But its give the below error messege. # service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore: line 93 failed [FAILED] I need your kind suggestions to resolve this issue. Thanks in advance. Regards Arunabh B. |
I'm gonna take a look at your iptables rule in a few minutes (need to step outside for a little while), but in the meantime I would like to ask: You are aware that if they can change their IP then they can also change their MAC, right? Just making sure.
|
Sorry for the delay, a fifteen minute smoke break turned into a one-hour conversation with a friend.
Quote:
I would recommend handling this in the FORWARD chain like so: Code:
iptables -P FORWARD DROP But like I said, it's easy to spoof a MAC, and you shouldn't rely on this for any kind of serious security. |
Quote:
|
Quote:
|
[QUOTE=.......
Although your MAC address syntax is erroneous .... [B]OOpsss... sorry... i'll change it.[/B] Thanks for your support... I'll definitely deploy it... Quote:
Quote:
Quote:
Again thanks for all your kind support.. |
Quote:
Quote:
|
Thanks WIN32SUX,
Sorry for replying so late. I was out of station. And thanks alot for all your support. I'll try this. I've 2 more queries in line regarding above issue. 1) How to install modules of iptables (i.e. ipt_mac etc.). Is these modules can be found in rpm formats ? Where can i find these modules (OS media or internet )?? 2) I want to block Bittorrent/utorrent clients in my LAN ? I read somewhere during searching solution for this issue that it need a layer7 module. Where i can find this module and how to install it ?? what is the command to block bittorent/utorrent clients ?? |
All times are GMT -5. The time now is 07:22 AM. |