Iptables MAC Address Filtering
LAN
or wireless access can be filtered by using the MAC addresses of the
devices transmitting within your network. A mac address is acronym for
media access control address, is a unique address assigned to almost
all-networking hardware such as Ethernet cards, routers, mobile phones,
wireless cards and so on (see mac address
at wikipedia for more information). This quick tutorial explains how to
block or deny access using MAC address using iptables - Linux
administration tool for IPv4 packet filtering and NAT.
Linux Iptables comes with the MAC module. This module matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the following chains:
See iptables man page for more information:
Linux Iptables comes with the MAC module. This module matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the following chains:
- PREROUTING
- FORWARD
- INPUT
Examples: Access Restrictions Using MAC Address
Drop all connection coming from mac address 00:0F:EA:91:04:08 (add the following command to your firewall script):/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROPAllow port 22 from mac address 00:0F:EA:91:04:07:
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPTYou can also use the interface name such as eth1:
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPTYou can also use FORWARD chain:
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT
You can also use NEW and other supported states as follows so that a known MAC address can be forwarded:
/sbin/iptables -A FORWARD -m state --state NEW -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT
How Do I Skip Certain MAC Address?
Use the following syntax:/sbin/iptables -A INPUT -p tcp --dport PORT -m mac ! --mac-source MAC-ADDRESS-HERE-TO-SKIP -j DROP ### Drop ssh access to all except our own MAC Address ### /sbin/iptables -A INPUT -p tcp --dport 22 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP ### Save rules ### /sbin/service iptables saveThe ! symbol means NOT. Your firewall will DROP packets destined to port 22 so long as they do NOT originate from your own computer with the desired MAC address.
Protecting MAC Address Spoofing From a Trusted Systems
Malicious user can spoof their MAC address with a trusted systems. To stop this kind of attacks use VLANS and/or static ARP entries.See iptables man page for more information:
man 8 iptables
No hay comentarios:
Publicar un comentario