topic Re: iptables -- plz help in Operating System - Linux

iptables -- plz help

Maaz — Sun, 22 Jan 2006 04:26:26 GMT

Dear Gurus

iptables -A INPUT -s 10.2.2.255 -p tcp --dport 80 -j ACCEPT

plz let me know the syntax when instead of "Source IP" i allow/deny on the basis of Sources' MAC address

Thanks n Regards
Maaz

Re: iptables -- plz help

Alexander Chuzhoy — Sun, 22 Jan 2006 04:48:58 GMT

try this:
iptables -A INPUT -m mac -mac-source xx:xx:xx:xx:xx -j ACCEPT

This will accept packets from matching MAC address

Re: iptables -- plz help

Matti_Kurkela — Sun, 22 Jan 2006 05:00:55 GMT

MAC address matching is an extension module to iptables, so the syntax is a bit different. For example:

iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

If your Linux will not accept that, it is possible that your iptables command and/or kernel are either too old or don't have MAC address matching module configured.

Remember that MAC address filters work in your local network segment only: anything that's coming in through a router has the router's MAC address when it gets to you.

Another thing that limits the usability of MAC address filtering is that the MAC addresses are easy to change: in Linux, it is usually as simple as "ifconfig eth0 hw ether 00:11:22:33:44:55". Even Windows usually allows you to do that, but the option is hidden rather deep in the network card's "Properties..." dialogs.

Re: iptables -- plz help

Steven E. Protter — Sun, 22 Jan 2006 05:01:23 GMT

Shalom Maaz,

As far as this goes, be careful on the denial side. Mac addresses are easy to clone and spoof.

If I may ask, what are you trying to accomplish? I've done a lot with iptables and can suggest a few things.

SEP

Re: iptables -- plz help

Stuart Browne — Sun, 22 Jan 2006 05:34:19 GMT

If you are trying to restrict users on a LAN to given machiens for given services, this is as good as you can get really.

You DHCP to given MAC's, then only allow those details through the firewall for given services.

At my friends church, this is exactally how we do it for the network.

Two networks over-lap there, so the restrictions only allow given area's given access based on the machine's MAC.

.. Then you add username details on top of that, and well, you've got a pretty secure network ..

Re: iptables -- plz help

Maaz — Sun, 22 Jan 2006 09:35:30 GMT

Dear All Zillions of thanks for help.. even a Great Help ;).

Dear Alexander Chuzhoy thanks for such a prompt reply .. esp thanks goes to u.

Dear Matti Kurkela... u r a very nice person ;), Zillions of thanks for such a nice and detailed reply.

Thanks Dear SEP... u too a nice/kind person ;). I am going to use S-MAC to only restric access to my own lan resources.

And Stuart Browne thank u so much for sharing ur knowledge ;). Dear Stuart Browne u wrote:
".. Then you add username details on top of that, and well, you've got a pretty secure network .."
I m sorry .. i always admit that i m dumb... what i understand is that its also possible that we can also use username as a source for deny/allow in IPtables ?

Re: iptables -- plz help

Stuart Browne — Sun, 22 Jan 2006 14:59:10 GMT

No, unfortunately it's not possible to use IPTables on that level.

You do that on the protocol level (with Apache's Allow/Deny in this case).

Re: iptables -- plz help

Maaz — Mon, 23 Jan 2006 00:07:23 GMT

Thanks Stuart