LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-20-2010, 03:17 AM   #1
arunabh_biswas
Member
 
Registered: Jun 2006
Posts: 92

Rep: Reputation: 16
Question IPTABLES rules using ipt_mac module


Dear Experts,

Pls receive my regards for you all.

I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system.
eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid.

I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet.

Below are the contents of my iptables file (I've ommited few entries for safty purpose).

# Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009
*filter
:INPUT ACCEPT [14274:3846787]
:FORWARD ACCEPT [4460:1241297]
:OUTPUT ACCEPT [16825:4872475]
-A INPUT -s 192.168.100.85 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.100.95 -p tcp -m tcp --dport 22 -j ACCEPT
#######################################
*nat
:PREROUTING ACCEPT [4513:335051]
:POSTROUTING ACCEPT [1619:154742]
:OUTPUT ACCEPT [1045:124778]
-A POSTROUTING -s 192.168.100.253 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.97 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.95 -o eth1 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.100.165 -o eth1 -j SNAT --to-source 192.168.1.2
COMMIT
#######################################

I checked using below command:
#lsmod | grep mac

The output shows nothing.

When I run modprobe command:
# modprobe ipt_mac
It bring back to prompt.

Its gives below output:
# lsmod |grep mac
ipt_mac 1985 0
ip_tables 17473 4 ipt_mac,iptable_nat,ipt_REJECT,iptable_filter


Then I put the below entry in /etc/sysconfig/iptables file in POSTROUTING section.
-A POSTROUTING -s 192.168.100.95 -m mac --mac-source 00-16-D3-BA-6F-C5 -o eth1 -j SNAT --to-source 192.168.1.2

After saving the file, I restarted the iptables service. But its give the below error messege.
# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: nat filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 93 failed [FAILED]


I need your kind suggestions to resolve this issue. Thanks in advance.

Regards
Arunabh B.

Last edited by arunabh_biswas; 02-20-2010 at 03:18 AM.
 
Old 02-20-2010, 05:54 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I'm gonna take a look at your iptables rule in a few minutes (need to step outside for a little while), but in the meantime I would like to ask: You are aware that if they can change their IP then they can also change their MAC, right? Just making sure.

Last edited by win32sux; 02-20-2010 at 05:55 AM.
 
Old 02-20-2010, 07:03 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Sorry for the delay, a fifteen minute smoke break turned into a one-hour conversation with a friend.

Quote:
Originally Posted by arunabh_biswas View Post
-A POSTROUTING -s 192.168.100.95 -m mac --mac-source 00-16-D3-BA-6F-C5 -o eth1 -j SNAT --to-source 192.168.1.2
Although your MAC address syntax is erroneous AFAIK (dashes instead of colons), your primary issue is that you're doing this in the POSTROUTING chain. At that point, the packet still hasn't been encapsulated in an Ethernet frame, so it won't have this MAC address you're looking for. Furthermore, when it does get encapsulated, it's going to have the MAC address of the NIC (eth1), not the originating host. Basically, if you want to match based on MAC address, you're going to need to stick to the chains which deal with inbound traffic, such as INPUT, FORWARD, or PREROUTING.

I would recommend handling this in the FORWARD chain like so:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.253 -m mac --mac-source AA:AA:AA:AA:AA:AA -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.97  -m mac --mac-source BB:BB:BB:BB:BB:BB -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.95  -m mac --mac-source CC:CC:CC:CC:CC:CC -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.165 -m mac --mac-source DD:DD:DD:DD:DD:DD -j ACCEPT
You wouldn't need to change your current SNAT rules (just remove the bogus one).

But like I said, it's easy to spoof a MAC, and you shouldn't rely on this for any kind of serious security.

Last edited by win32sux; 02-20-2010 at 07:22 AM. Reason: Added iptables suggestion.
 
Old 02-20-2010, 07:21 AM   #4
arunabh_biswas
Member
 
Registered: Jun 2006
Posts: 92

Original Poster
Rep: Reputation: 16
Question

Quote:
Originally Posted by win32sux View Post
I'm gonna take a look at your iptables rule in a few minutes (need to step outside for a little while), but in the meantime I would like to ask: You are aware that if they can change their IP then they can also change their MAC, right? Just making sure.
ya ... u r right... but i know my users are not that expert to change mac... but it is also a point to think... do u have any fullproof solution for this....
 
Old 02-20-2010, 07:23 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by arunabh_biswas View Post
ya ... u r right... but i know my users are not that expert to change mac... but it is also a point to think... do u have any fullproof solution for this....
There is no fool-proof solution, but I edited my previous post to add a suggestion.

Last edited by win32sux; 02-20-2010 at 07:39 AM. Reason: Spelling.
 
Old 02-20-2010, 08:02 AM   #6
arunabh_biswas
Member
 
Registered: Jun 2006
Posts: 92

Original Poster
Rep: Reputation: 16
Exclamation

[QUOTE=.......

Although your MAC address syntax is erroneous ....
[B]OOpsss... sorry... i'll change it.[/B]

Thanks for your support... I'll definitely deploy it...


Quote:
I would recommend handling this in the FORWARD chain like so:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.253 -m mac --mac-source AA:AA:AA:AA:AA:AA -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.97  -m mac --mac-source BB:BB:BB:BB:BB:BB -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.95  -m mac --mac-source CC:CC:CC:CC:CC:CC -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.100.165 -m mac --mac-source DD:DD:DD:DD:DD:DD -j ACCEPT
Quote:
You wouldn't need to change your current SNAT rules (just remove the bogus one).
I want to clear my one confusion...u mean to say that i can add these line in filter chain and let the other POSTROUTING SNAT there in the iptables file as it is ??


Quote:
But like I said, it's easy to spoof a MAC, and you shouldn't rely on this for any kind of serious security.
can u suggest some other alternative for this ?

Again thanks for all your kind support..
 
Old 02-20-2010, 07:00 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by arunabh_biswas View Post
I want to clear my one confusion...u mean to say that i can add these line in filter chain and let the other POSTROUTING SNAT there in the iptables file as it is ??
Yes. Those SNAT rules are still needed, in order to change the source address on the packets from those four hosts. No MAC checking is necessary at that point, since it already happened in the FORWARD chain and any packet with an IP/MAC mismatch would have been sent to DROP.

Quote:
can u suggest some other alternative for this ?
Maybe you could do this with Squid instead (as in, disable forwarding completely). In other words, require these four users to authenticate like everyone else and then have a special ACL for them which grants them unrestricted access.

Last edited by win32sux; 02-20-2010 at 07:02 PM.
 
Old 03-08-2010, 12:41 AM   #8
arunabh_biswas
Member
 
Registered: Jun 2006
Posts: 92

Original Poster
Rep: Reputation: 16
Thanks WIN32SUX,


Sorry for replying so late. I was out of station. And thanks alot for all your support.
I'll try this. I've 2 more queries in line regarding above issue.

1) How to install modules of iptables (i.e. ipt_mac etc.). Is these modules can be found in rpm formats ? Where can i find these modules (OS media or internet )??

2) I want to block Bittorrent/utorrent clients in my LAN ? I read somewhere during searching solution for this issue that it need a layer7 module. Where i can find this module and how to install it ?? what is the command to block bittorent/utorrent clients ??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptable modules - ipt_mac & ipt_mark hall-2k Linux - Software 1 02-21-2010 05:14 AM
Set iptables rules from Kernel Module saurabhchokshi Programming 5 05-02-2009 12:10 AM
[SOLVED] iptables: dissecting recent module rules anomie Linux - Security 3 03-27-2008 01:32 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration