using iptables to reject mac address

wademac · 08-16-2011, 11:38 AM

Hello LQ,

I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick:

iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT

acid_kewpie · 08-16-2011, 11:45 AM

Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .

But if either of those are not relevant it looks fine to me.

wademac · 08-16-2011, 11:55 AM

This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?

acid_kewpie · 08-16-2011, 12:00 PM

Yep. Mac is layer 2 data so does not leave the subnet.

wademac · 08-16-2011, 12:11 PM

If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?

acid_kewpie · 08-17-2011, 02:20 AM

You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.