Wikipedia says:
Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NICs). It is a number that acts like a name for a particular network adapter, so, for example, the network cards (or built-in network adapters) in two different computers will have different names, or MAC addresses, as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However, it is possible to change the MAC address on most of today's hardware.
There are situations from our local network that requires control and management of packets going IN and OUT of your proxy interfaces coming and requested usually by internal hosts. Proxy servers are usually configurable linux gateway machines serving internal or client host as their front-end host from the web.
Implementing IP-based policies and access list restrictions from linux-based firewall is one of the many approaches to resolve and filter host based from MAC address. This situation can also be resolved by implememting a MAC address filters from the router level, or from firewall appliances, first hop bandwidth monitoring appliances, VLAN switches, other proxy software packages like Squid, other linux-based firewalls like IPCop and a lot of them from opensource list.
Considering the costly fees from acquiring these not so cheap appliances and routers, we can make use of iptables out of an existing proxy server or proxy gateway to filter out host based on their MAC address. In short, do MAC address packet filtering using iptables of an existing proxy linux box.
Iptables man says:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Linux IPtables is currently the default firewall package that comes from RedHat, CentOS and Fedora, right after ipchains dominated them long time ago. Iptables supports different types of filters. To name a few, iptables can do filters and firewall rules by usernames, by group IDs and user profiles, by source and destination ports, by source host and destination hosts, by URLs, by IP addresses, by packet ID flags, by protocols, and a lot more including filtering by MAC address.
This entry assumes that an existing proxy server is currently in place inside your network and you want to filter linux/windows client machines behind the proxy server using MAC address packet filtering by iptables.
Here's an entry on how to filter out MAC address using Linux IPTable firewall.
IPTABLES INSTALLATION
=====================
# yum -y install iptables
IPTABLES FIREWALL PACKAGE VERIFICATION
======================================
# rpm -qa iptables
IPTABLES MAC ADDRESS FILTERING
==============================
Here's an iptables sample lines to filter out host based on MAC address using the currently in place proxy server or linux proxy gateway. Make sure you insert them from one of your existing iptables INPUT chains like so
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# iptables -A INPUT -m mac --mac-source 00:02:A5:EC:00:8B -j DROP
Alternatively,
# -A RH-Firewall-1-INPUT -m mac --mac-source 00:02:A5:EC:00:8B -j DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The command above would block a host with MAC Address 00:02:A5:EC:00:8B regardless of current IP address and packet/port source and destinations.
Extending MAC Address Filters via Iptables
==========================================
If you want to allow port 80 for a host with MAC address 00:02:A5:EC:00:8B , simply insert this line to your existing /etc/sysconfig/iptables firewall rules right after your INPUT chain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:02:A5:EC:00:8B -j ACCEPT
Alternatively,
# -A RH-Firewall-1-INPUT -p tcp --destination-port 80 -m mac --mac-source 00:02:A5:EC:00:8B -j ACCEPT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Iptables is one powerful linux packet filtering firewall specially when properly tweaked and modified to fit your needs. If you wish to know more of iptables, read the man page. Further iptables reading can be found here.
May the iptables keeps your linux boxes protected as always.
HTH
Subscription
Categories
- HowTos (612)
- Linux Devices (40)
- Linux Diggs (620)
- Linux News (1541)
- Linux Videos (24)
Recent Posts
Blog Archive
-
▼
2007
(340)
-
▼
September
(58)
- Dear Linux SysAd Blog Readers
- Proactive monitoring from linux terminal
- deleting new lines and return line from text file
- Google chat setup using PSI howto
- PSI messenger - a truly promising open messaging a...
- Google chat setup using GAIM Pidgin howto
- Linux command line shell variables defined
- ls - displaying directory contents in many ways
- Control of alternative linux executables
- Searching using whereis linux command
- Witchy which linux command
- NeroLinux - diehard Nero burning software
- Google Sky - Explore and Rediscover the Sky
- Celestia - 3D Earth and Sky visualization
- Earth3D - real-time 3D Earth visualization
- GcStar - managing personal collection items
- DStat - resource statistics linux tool
- Bandwidth Monitor-NG - terminal-based interface ba...
- KNemo - KDE network interface monitoring tool
- EtherApe - graphical network activity monitoring tool
- Beauty of Math using Linux
- print leading/trailing lines before/after a matchi...
- Nagios Monitoring - install and generic setup howto
- ChRT- change real-time attribute process scheduling
- squeezed out multiple commented lines
- UNIX to DOS text file format converter
- totally squeezed out multiple blank lines
- squeezed multiple blank lines into single line
- fmt - simple optimal text formatter
- Linux backup powered by RDiff-Backup
- Linux Ping command explained
- read and display text file from terminal
- URLView - URL and email extractor
- TFTP server - setup and install howto
- NMap - Linux port scanning
- removing garbage characters from screen terminal
- invert string match using grep
- RDesktop - remote desktop howto
- Graveman on Linux - burn baby burn burn
- HTOP - interactive process viewer alternative
- Caching DNS server install howto
- BitTorrent - downloading large files made easy
- PHPAlbum - web photo album install howto
- MRTG graph creation with Cisco routers
- Tree view of directories and file listings from co...
- MAC address packet filtering using IPTables
- GTK-based GNOME Linux Tools
- Linux backups powered by RSnapShot
- MRTG tutorial, install and howtos
- FindSMB - view shared folders from network
- Squid - upgrade and install howto
- prompt and press a key between script lines
- Devede - DVD/VCD video authoring and creation tool
- display file and file system status
- determine file type
- GNOME GUI task scheduler install howto
- Linux backups powered by Rsync
- KPackage - GUI package administration and manageme...
-
▼
September
(58)
Wednesday, September 5, 2007
MAC address packet filtering using IPTables
Subscribe to:
Post Comments (Atom)
ILoveTux - howtos and news | About | Contact | TOS | Policy
2 comments:
Can you help me to block proxy IP using iptables?
For example, I can download the proxy servers IP:port from the fresh TXT proxy list on http://proxy-ip-list.com/.
Then I want to block all this IP and port combinations.
alternatively, you can directly block them
# route add -host IP-ADDRESS reject
Post a Comment