LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-04-2012, 07:48 AM   #1
Wynman?
LQ Newbie
 
Registered: Apr 2011
Location: Lusaka, Zambia
Distribution: Ubuntu 12.04 LTS
Posts: 2

Rep: Reputation: 0
Smile How to use IP Tables in Linux Voyage Version: 0.7


Hi All,

Am using Linux Voyage Version 0.7 on a Soekris Net5501 box in my project as the first device on my LAN.
The box is configured as a DHCP, DNS and Web server in addition to the other few services.

Client computers access content of this local server and the internet through a wireless access point connect to Ethernet port 2 or 3 of the soekris box and the two ports are bridged.

My problem is that I would like to filter access to the internet and local content by mac address using the iptables or other means necessary. In short deny DHCP requests from certain clients thereby effectively refusing them access to the LAN at all.

I know that this could be done on the access point but I'd like to add and remove clients remotely, in which case I can not if that is implemented on the access point.

Can someone please tell me how I can do this? And if this can not be done with IP tables, is there a way of denying access to some client computers on.

Many thanks
 
Old 07-04-2012, 01:45 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,885

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
All things iptables are detailed here. That said
  • it isn't a five minute read; you probably wouldn't expect it to be, I suppose
  • I don't really like mac filtering, given that MAC addresses can be falsified and will probably go wrong when you replace some hardware with new versions, but if it is the only way to do what you want...
 
1 members found this post helpful.
Old 07-05-2012, 08:09 AM   #3
Wynman?
LQ Newbie
 
Registered: Apr 2011
Location: Lusaka, Zambia
Distribution: Ubuntu 12.04 LTS
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks Salasi, yes indeed not a 5 minute read but I have found it very useful, will try it on the test server at home before I can implement it.

In all of the locations where I might want to do this mac kind of filtering,all the client computers use wireless for local and internet access, likely that someone shared there wireless key and allowed unauthorized personnel on the network.
The default rule in the IP Tables is ACCEPT so I would like to drop specified mac addresses.

Salasi, what would you suggest as the solution for this kind of the situation given that the mac address can be "falsified"?

Many thanks again
 
Old 07-05-2012, 10:50 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,885

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by Wynman? View Post
The default rule in the IP Tables is ACCEPT so I would like to drop specified mac addresses.
What the default rule (you mean the policy, I think) is or is not seems irrelevant:
  • Policies only apply to inbuilt chains; 'home made' chains don't even have a policy that you can set
  • A policy can be functionally 'emulated' by doing the same thing in the final instructions in the chain, so you can make any chain behave as if it had a policy of drop or accept by appropriate final instructions
  • (there is an argument that using the 'final instruction' approach is better than using policies because, if you make a mistake adding rules a policy of drop might lock you out of your own server, where, if you have the policy as accept, but are 'emulating' drop wiping out the rules in that chain may leave you with access)
  • whatever, you still need some way to distinguish between 'packets that are allowed' and 'packets that are not allowed' and once you can do that you can do anything that you want with those packets
so you can make a chain behave in any way you want

Quote:
Originally Posted by Wynman? View Post
In all of the locations where I might want to do this mac kind of filtering,all the client computers use wireless for local and internet access, likely that someone shared there wireless key and allowed unauthorized personnel on the network.
Hmmm, well if you can't trust what should be your security measures... You are saying that you have a wireless network, which should be secured by wep/wpa/whatever (hope it isn't actually wep), but you are afraid that the wpa key has leaked. there is no other user logon to get to resources (this sounds doubtful to me...yes, it could work if it is only, eg, web access, that is being granted but if people are getting at their stored data on a server, for example, then that would raise big security concerns) then it would be difficult.

But bear in mind that someone competent (you may think that's a non-existent risk, and that's an estimation too easily made if you ever interact with users ...)
  • can change the mac address on their network interface quite easily
  • can snoop mac addresses, so it may not even be necessary for the legitimate owner of the mac address to do anything wrong for the usable mac to leak to someone who wants to get it
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] how to run fsck on root partition - Voyage-linux Version 0.6 Blushus Debian 4 06-15-2011 01:16 AM
[SOLVED] Unable to install FFMPEG on voyage linux voyage-linux-noob Linux - Software 1 10-30-2010 07:34 AM
irtouch touchscreen on voyage linux problem PFerreira Linux - Hardware 0 01-29-2010 10:24 AM
My Maiden Voyage With Linux/Ubuntu turbogrub LinuxQuestions.org Member Intro 1 08-23-2009 09:09 AM
LXer: Do More With Less: 802.1Q VLANs with Voyage Linux LXer Syndicated Linux News 0 02-13-2008 10:30 AM


All times are GMT -5. The time now is 11:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration