Allowing access only some sites - onely some mac address

Derick Anderson danderson at vikus.com
Tue Aug 30 15:39:18 CEST 2005


 

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org 
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
> Grant Taylor
> Sent: Monday, August 29, 2005 10:28 PM
> To: netfilter at lists.netfilter.org
> Subject: Re: Allowing access only some sites - onely some mac address
> 
> Sebastião Antônio Campos (GWA) wrote:
> > I have a list of the mac address 00:0c:6E:11:E8:B0, 
> 00:D8:02:D8:C8:DF, 
> > 00:E7:05:C9:07:EA............ and and I'd like that only these mac 
> > address could access only the following IP: 200.221.2.128, 
> > 200.221.2.129, 200.221.2.130, 200.221.2.131, 200.205.144.75, 
> > 200.205.144.76. But the other mac address could access everything.
> 
> I would be tempted to do something like the following:
> 
> # Create a new chain to put the allowed sites in for filtered MACs.
> iptables -t filter -N MACFilteredSites
> 
> # Watch for a specific MAC address and jump to said chain on matches.
> iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac 
> --mac-source 00:0c:6E:11:E8:B0 -j MACFilterdSites iptables -t 
> filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 
> 00:D8:02:D8:C8:DF -j MACFilterdSites iptables -t filter -A 
> FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 
> 00:E7:05:C9:07:EA -j MACFilterdSites
> 
> # Only allow the filtered MACs to go to these sites (IP addresses).
> # Note:  We do not need to test for -i and -o interfaces b/c 
> we tested for this before we got to this chain.
> iptables -t filter -A MACFilteredSites -d 200.221.2.128 -j 
> RETURN iptables -t filter -A MACFilteredSites -d 
> 200.221.2.129 -j RETURN iptables -t filter -A 
> MACFilteredSites -d 200.221.2.130 -j RETURN iptables -t 
> filter -A MACFilteredSites -d 200.221.2.131 -j RETURN 
> iptables -t filter -A MACFilteredSites -d 200.205.144.75 -j 
> RETURN iptables -t filter -A MACFilteredSites -d 
> 200.205.144.76 -j RETURN iptables -t filter -A 
> MACFilteredSites -j LOG iptables -t filter -A MACFilteredSites -j DROP
> 
> 
> 
> Grant. . . .
> 

You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time.

If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =)

Derick Anderson



More information about the netfilter mailing list