-   Linux - Security (
-   -   Laptop Firewall Considerations - MAC Addresses (

Meson 10-23-2007 09:44 PM

Laptop Firewall Considerations - MAC Addresses
I'm new to iptables (via firestarter) and most networking/security considerations in general.

I am worried about the security of my laptop when I take it out and connect wirelessly on my college campus and in other public locations. If I set up some rules to allow samba for the windows computers in my house using the network or even specific computers, what is going to happen when I connect to a similarly numbered network in a public location?

Is there a way to create different rules based on the MAC address of the router/gateway?

Any guides on firewall considerations? I had previously thought that most distrobutions had the firewall locked up by default, but after running a port check I found that a good number of ports were open! And some closed. When I'm behind my router, ALL come up as silent (at Shields Up, google: firewall test). I would like my personal firewall to be the same.

I would also like it to work on all interfaces. It seems firestarter only works on one at a time.

win32sux 10-23-2007 10:09 PM

Welcome to LQ!!! :)

I'd suggest having two firewall configs - one for when you're at home, and one for when you're not. But using the MAC address of the gateway as a location indicator wouldn't be a secure way to go - it's just way too easy to spoof a MAC. IMHO, a check for your home's wireless encryption key would be more suitable.

Meson 10-24-2007 10:06 AM

Thanks for the welcome. I've often used linuxquestions as a resource but stayed on ubuntuforums. I feel discussion here will be more universally beneficial.

Anyway. When I'm out and about I use wireless, but at home I pretty much stick to a wired connection.

Do I have to write a script to change the settings?

What about checking MAC, IP, and hostname? Are there any others? (Let's assume I'm using multiple WIRED connections.

win32sux 10-24-2007 12:17 PM

OIC. Well, in a way that might make things easier. What names do your wireless and wired interfaces have? You might be able to get away with simply making interface-specific rules. That way you wouldn't even need to bother changing them. In other words, the rules would allow incoming connections into the wired NIC, while filtering everything (stealth firewall config) on the wireless.

EDIT: Wait, just re-read the last sentence in your post. Are you saying there are other wired networks you plug into besides the one at home? BTW, neither hostname, IP, or MAC are truly secure options for this, as none have any sort of authentication features, and all can be spoofed.

Meson 10-25-2007 12:43 AM

One wired, multiple wireless. I don't think interface specific rules is the solution, I'm more worried about location specific rules. I might for example use wireless at home or plug in to a ethernet port at school

I know none of the three are secure but I figured all three combined is better than nothing. Are there any truly secure (and I know there is no such thing as TRULY) secure methods for authenticating a network/host that are reasonable for a simple desktop user.

win32sux 10-25-2007 02:51 AM

Well, if you wanna make rules based on MAC/IPs this is how they go (iptables doesn't do hostnames - it'll resolve them into IPs):

iptables -A INPUT -s -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
Honestly, I think your best bet at this point is to have two firewall scripts, and manually execute them depending on your location. I wouldn't recommend going around with a MAC/IP-based rule such as the above constantly activated. But like you said, it's better than nothing. You should add protocol, port, and state matches to my example to tighten it a bit.

EDIT: Just remembered you probably meant using IP/MAC/hostname as an indicator for the network you are on, so nevermind my iptables rule. So you want the appropriate script executed depending on the MAC/IP of the gateway, right?

Meson 10-25-2007 10:57 AM

Well, basically I have my home network for which I know the specifications of the router. And most of the other time I can assume I'm on a public network. I'd like to be able to at least recognize my home network in some way. Pardon me for the violation - but in a way similar to Vista seems to be able to do.

win32sux 10-25-2007 02:35 PM

What method does Vista use to make the determination?

EDIT: As a side note, I just tried to script a way to get my current router's MAC and came up with this:

arping -c1 `route -n | grep ^ | awk '{print $2}'` \
2> /dev/null | grep "Unicast reply from" | awk '{print $5}' | cut -c 2-18

It's butt ugly but it works okay AFAICT.

EDIT 2: To get the IP of my router's WAN side I did a:

echo `wget -qO -`
Of course if the server is down or filtered it wouldn't work.

Meson 10-25-2007 03:16 PM

I don't know about the method.... anybody??? I found this article but can't make any certain sense of it... It looks like they're just using hostname and ip. Am I wrong?

win32sux 10-25-2007 04:00 PM

I just glanced through this page and got the impression it's only done by IP, except for the Domain location type. Like it has three location types: Domain, which it determines by seeing if it can authenticate to a domain controller; Public, which (I assume) it determines by seeing if the IP is an Internet one; and Private, which (I assume) it determines by seeing if the IP is private. Once again, this is just the impression I got and I could be completely mistaken. If I am right, though, then the only "secure" determination method is the Domain one, as it's the only one that does any authentication.

Do you have any always-on GNU/Linux box on your LAN which you could have an SSL-encrypted exchange with to confirm your location? If not, well, perhaps we should move along and get you set-up with something IP/MAC-based. The shell commands I posted above could be a start if you want. I was thinking that perhaps if either of those two conditions evaluate as false (the MAC isn't yours and/or the WAN IP isn't your fixed IP (or one from your ISP's netblock if you have a dynamic IP), then the stealth firewall is activated. Or that the non-stealth firewall is activated only when at least the first condition is true or something like that. We could also throw-in a hostname check of course. So you'd end-up with an IP/MAC/Hostname scheme, which might suffice until you find a truly secure solution.

Meson 10-25-2007 06:17 PM

Actually the public/private declaration is set by the user with public as the default.

But to be honest with you, thinking about it now, the windows method of recognizing networks can't be all that secure. It must be pretty easy to spoof a network (except possibly for the domain - but then again it might be easy to trick a computer into thinking it's authenticated on a domain...)

So it seems the best general solution (and not just for me but for everyone) would be to have a list of network profiles in the network status icon in gnome. With at most an alert window that says "Hey, are you on this network?"

Such a utility would need to modify your ethernet devices, firewall, and possibly other settings, samba for one...?

If I wrote some scripts to run when I decided to change a network, would they need to change the iptables configuration and then restart it?

win32sux 10-26-2007 03:57 AM

The (insecure) idea I had in mind was a script which would automatically get executed every time you connect to a network. The script would check the conditions mentioned above (WAN IP, gateway MAC, local hostname) and execute the iptables rules allowing access to your Samba (from specific MACs) if it looked like you were at home. But yeah, I agree that in the absense of a secure automatic location determination mechanism, nothing beats having the human make the determination.

Meson 10-27-2007 02:28 AM

Too bad I only know java right now. I think I could come up with something pretty useful for people. I've been putting a lot of thought into this.

win32sux 10-27-2007 08:47 AM

Well, I wrote you a proof-of-concept script to get the ball rolling:


# This script will execute a certain script if it detects that your
# router's MAC address, your WAN IP address, and your host name are what
# they would be when at home. It'll also execute a certain script if
# it finds that they aren't.

# Set the specs for your home network here:

# Set the scripts to be executed after determination is made:

# Now we get the specs of the network you are currently in:
CURRENT_ROUTER_MAC=$(arping -c1 $(route -n | grep ^ | awk '{print $2}') \
            2> /dev/null | grep "Unicast reply from" | awk '{print $5}' \
            | cut -c 2-18)
CURRENT_WAN_IP=$(echo $(wget -qO -

# Now we check if they all match, and execute the appropriate script depending
# on whether or not they did:

    && [ $CURRENT_HOSTNAME = $HOSTNAME ]; then

I only gave it a very quick test (and once again, it's only a proof-of-concept) so take it with a grain of salt. The WAN IP check will need to be tweaked if your ISP gives you dynamic IPs, and a way to deal with errors ( server is down, for example) would be imperative. Also, I'm not exactly sure where one would place this script to have it executed everytime you associate to a new wireless network, but I'm sure that info is just a google away.

Meson 10-27-2007 06:43 PM


# Set the specs for your home network here:


# Now we check if they all match, and execute the appropriate script depending
# on whether or not they did:
    && [ $CURRENT_HOSTNAME = $HOSTNAME ]; then

How are scripts evaluated? Will [ $CURRENT_WAN_IP = $WAN_IP ] always be looked at or does it depend on [DYNAMIC]?

All times are GMT -5. The time now is 12:46 AM.