-   Linux - Security (
-   -   using iptables to reject mac address (

wademac 08-16-2011 12:38 PM

using iptables to reject mac address
Hello LQ,

I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick:

iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT

acid_kewpie 08-16-2011 12:45 PM

Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .

But if either of those are not relevant it looks fine to me.

wademac 08-16-2011 12:55 PM

This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?

acid_kewpie 08-16-2011 01:00 PM

Yep. Mac is layer 2 data so does not leave the subnet.

wademac 08-16-2011 01:11 PM

If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?

acid_kewpie 08-17-2011 03:20 AM

You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.

All times are GMT -5. The time now is 12:28 AM.