[SOLVED] How to use IP Tables in Linux Voyage Version: 0.7
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Am using Linux Voyage Version 0.7 on a Soekris Net5501 box in my project as the first device on my LAN.
The box is configured as a DHCP, DNS and Web server in addition to the other few services.
Client computers access content of this local server and the internet through a wireless access point connect to Ethernet port 2 or 3 of the soekris box and the two ports are bridged.
My problem is that I would like to filter access to the internet and local content by mac address using the iptables or other means necessary. In short deny DHCP requests from certain clients thereby effectively refusing them access to the LAN at all.
I know that this could be done on the access point but I'd like to add and remove clients remotely, in which case I can not if that is implemented on the access point.
Can someone please tell me how I can do this? And if this can not be done with IP tables, is there a way of denying access to some client computers on.
it isn't a five minute read; you probably wouldn't expect it to be, I suppose
I don't really like mac filtering, given that MAC addresses can be falsified and will probably go wrong when you replace some hardware with new versions, but if it is the only way to do what you want...
Thanks Salasi, yes indeed not a 5 minute read but I have found it very useful, will try it on the test server at home before I can implement it.
In all of the locations where I might want to do this mac kind of filtering,all the client computers use wireless for local and internet access, likely that someone shared there wireless key and allowed unauthorized personnel on the network.
The default rule in the IP Tables is ACCEPT so I would like to drop specified mac addresses.
Salasi, what would you suggest as the solution for this kind of the situation given that the mac address can be "falsified"?
The default rule in the IP Tables is ACCEPT so I would like to drop specified mac addresses.
What the default rule (you mean the policy, I think) is or is not seems irrelevant:
Policies only apply to inbuilt chains; 'home made' chains don't even have a policy that you can set
A policy can be functionally 'emulated' by doing the same thing in the final instructions in the chain, so you can make any chain behave as if it had a policy of drop or accept by appropriate final instructions
(there is an argument that using the 'final instruction' approach is better than using policies because, if you make a mistake adding rules a policy of drop might lock you out of your own server, where, if you have the policy as accept, but are 'emulating' drop wiping out the rules in that chain may leave you with access)
whatever, you still need some way to distinguish between 'packets that are allowed' and 'packets that are not allowed' and once you can do that you can do anything that you want with those packets
so you can make a chain behave in any way you want
Quote:
Originally Posted by Wynman?
In all of the locations where I might want to do this mac kind of filtering,all the client computers use wireless for local and internet access, likely that someone shared there wireless key and allowed unauthorized personnel on the network.
Hmmm, well if you can't trust what should be your security measures... You are saying that you have a wireless network, which should be secured by wep/wpa/whatever (hope it isn't actually wep), but you are afraid that the wpa key has leaked. there is no other user logon to get to resources (this sounds doubtful to me...yes, it could work if it is only, eg, web access, that is being granted but if people are getting at their stored data on a server, for example, then that would raise big security concerns) then it would be difficult.
But bear in mind that someone competent (you may think that's a non-existent risk, and that's an estimation too easily made if you ever interact with users ...)
can change the mac address on their network interface quite easily
can snoop mac addresses, so it may not even be necessary for the legitimate owner of the mac address to do anything wrong for the usable mac to leak to someone who wants to get it
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.