iptables mac filtering

dodbdts · #1 10th December 2008, 09:41 PM

Hey all, I was wondering what would be the best way to mac filter connections for my current setup

what I've got is fc10 running NAT and I want to mac filter all tcp connections. about 5 or so connections will be allowed full access and the rest will be blocked or redirected (based on their mac-address...I know about mac spoofing..and i've got rules set up in my iptables script to check macs against their designated Ip addresses..so I'm not as concerned with that security for the moment)

my current scripts look something like:

MAC1="xx:xx:xx:xx:xx:xx"
MAC2="yy:yy:yy:yy:yy:yy"
MAC3="zz:zz:zz:zz:zz:zz:"

iptables -A PREROUTING -t nat -p tcp -i eth0 -m mac --mac-source ! $MAC1 --mac-source ! $MAC2 --mac-source ! $MAC3 -j DROP

DROP may also be substituted by DNAT --to-dest xxx.xxx.xxx.xxx:yyyy or something along those lines.

the problem that I'm having, however, is that instead of allowing MAC1, MAC2, and MAC3 through...iptables seems to be dropping everything. So, I guess is there a way to filter all connections and only allow a certain few macs through. thank you.

dodbdts · #2 11th December 2008, 08:34 AM

after reading some man pages and putting 2 and 2 together I've come up with something that seems to work

# Define MAC Addresses
MAC1="xx:xx:xx:xx:xx:xx"
MAC2="yy:yy:yy:yy:yy:yy"
MAC3="zz:zz:zz:zz:zz:zz"

# Configure rules for CHECKMAC chain
iptables -t nat -N CHECKMAC
iptables -A CHECKMAC -t nat -m mac --mac-source $MAC1 -j ACCEPT
iptables -A CHECKMAC -t nat -m mac --mac-source $MAC2 -j ACCEPT
iptables -A CHECKMAC -t nat -m mac --mac-source $MAC3 -j ACCEPT
iptables -A CHECKMAC -t nat -j DROP

pass all internal traffic passing through eth0 to CHECKMAC chain
iptables -A PREROUTING -t nat -i eth0 -j CHECKMAC

While looking around I wasn't really able to find a good example of this...so I hope this helps someone eventually :-)

hermouche · #3 28th December 2008, 04:39 PM

Hy and thanks,

I am interested with your firewall but in my case i've got almost one hundred IP adress (it's a student campus).
The other think is that i guess that some students are spoofing there MAC address !!!

What might be the solution for me ???

I've tried at the beginning to DROP some students using iptables scripts against there MAC address individually, but at the end i saw that it is no a radical solution.....

They tend to just change another MAC address....
The big question is that they connect themselves using access points "WIFI"
The other thing is that they are getting there IP address via DHCP.
Well, this is my actual situation !!!

red

David Becker · #4 28th December 2008, 04:53 PM

Quote:

Originally Posted by hermouche

Hy and thanks,

I am interested with your firewall but in my case i've got almost one hundred IP adress (it's a student campus).

ipset

Quote:

Originally Posted by hermouche

The other think is that i guess that some students are spoofing there MAC address !!!

Forget about them. Too much trouble for too little gain. Just ensure you don't rely on mac addresses for (elevated) authorisation/clearance.

David