HPE Community
Operating System - Linux
1820475 Members
3263 Online
109624 Solutions
New Discussion юеВ

iptables -- plz help

 
SOLVED
Go to solution
Maaz
Valued Contributor

тАО01-21-2006 08:26 PM

тАО01-21-2006 08:26 PM

iptables -- plz help

Dear Gurus

iptables -A INPUT -s 10.2.2.255 -p tcp --dport 80 -j ACCEPT

plz let me know the syntax when instead of "Source IP" i allow/deny on the basis of Sources' MAC address

Thanks n Regards
Maaz
0 Kudos
Reply
7 REPLIES 7
Alexander Chuzhoy
Honored Contributor

тАО01-21-2006 08:48 PM

тАО01-21-2006 08:48 PM

Solution

Re: iptables -- plz help

try this:
iptables -A INPUT -m mac -mac-source xx:xx:xx:xx:xx -j ACCEPT

This will accept packets from matching MAC address
Reply
Matti_Kurkela
Honored Contributor

тАО01-21-2006 09:00 PM

тАО01-21-2006 09:00 PM

Re: iptables -- plz help

MAC address matching is an extension module to iptables, so the syntax is a bit different. For example:

iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

If your Linux will not accept that, it is possible that your iptables command and/or kernel are either too old or don't have MAC address matching module configured.

Remember that MAC address filters work in your local network segment only: anything that's coming in through a router has the router's MAC address when it gets to you.

Another thing that limits the usability of MAC address filtering is that the MAC addresses are easy to change: in Linux, it is usually as simple as "ifconfig eth0 hw ether 00:11:22:33:44:55". Even Windows usually allows you to do that, but the option is hidden rather deep in the network card's "Properties..." dialogs.
MK
Reply
Steven E. Protter
Exalted Contributor

тАО01-21-2006 09:01 PM

тАО01-21-2006 09:01 PM

Re: iptables -- plz help

Shalom Maaz,

As far as this goes, be careful on the denial side. Mac addresses are easy to clone and spoof.

If I may ask, what are you trying to accomplish? I've done a lot with iptables and can suggest a few things.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Stuart Browne
Honored Contributor

тАО01-21-2006 09:34 PM

тАО01-21-2006 09:34 PM

Re: iptables -- plz help

If you are trying to restrict users on a LAN to given machiens for given services, this is as good as you can get really.

You DHCP to given MAC's, then only allow those details through the firewall for given services.

At my friends church, this is exactally how we do it for the network.

Two networks over-lap there, so the restrictions only allow given area's given access based on the machine's MAC.


.. Then you add username details on top of that, and well, you've got a pretty secure network ..
One long-haired git at your service...
Reply
Maaz
Valued Contributor

тАО01-22-2006 01:35 AM

тАО01-22-2006 01:35 AM

Re: iptables -- plz help

Dear All Zillions of thanks for help.. even a Great Help ;).

Dear Alexander Chuzhoy thanks for such a prompt reply .. esp thanks goes to u.

Dear Matti Kurkela... u r a very nice person ;), Zillions of thanks for such a nice and detailed reply.

Thanks Dear SEP... u too a nice/kind person ;). I am going to use S-MAC to only restric access to my own lan resources.

And Stuart Browne thank u so much for sharing ur knowledge ;). Dear Stuart Browne u wrote:
".. Then you add username details on top of that, and well, you've got a pretty secure network .."
I m sorry .. i always admit that i m dumb... what i understand is that its also possible that we can also use username as a source for deny/allow in IPtables ?
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО01-22-2006 06:59 AM

тАО01-22-2006 06:59 AM

Re: iptables -- plz help

No, unfortunately it's not possible to use IPTables on that level.

You do that on the protocol level (with Apache's Allow/Deny in this case).
One long-haired git at your service...
0 Kudos
Reply
Maaz
Valued Contributor

тАО01-22-2006 04:07 PM

тАО01-22-2006 04:07 PM

Re: iptables -- plz help

Thanks Stuart
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.