Wednesday, September 5, 2007

MAC address packet filtering using IPTables

Wikipedia says:
Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NICs). It is a number that acts like a name for a particular network adapter, so, for example, the network cards (or built-in network adapters) in two different computers will have different names, or MAC addresses, as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However, it is possible to change the MAC address on most of today's hardware.

There are situations from our local network that requires control and management of packets going IN and OUT of your proxy interfaces coming and requested usually by internal hosts. Proxy servers are usually configurable linux gateway machines serving internal or client host as their front-end host from the web.

Implementing IP-based policies and access list restrictions from linux-based firewall is one of the many approaches to resolve and filter host based from MAC address. This situation can also be resolved by implememting a MAC address filters from the router level, or from firewall appliances, first hop bandwidth monitoring appliances, VLAN switches, other proxy software packages like Squid, other linux-based firewalls like IPCop and a lot of them from opensource list.

Considering the costly fees from acquiring these not so cheap appliances and routers, we can make use of iptables out of an existing proxy server or proxy gateway to filter out host based on their MAC address. In short, do MAC address packet filtering using iptables of an existing proxy linux box.

Iptables man says:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Linux IPtables is currently the default firewall package that comes from RedHat, CentOS and Fedora, right after ipchains dominated them long time ago. Iptables supports different types of filters. To name a few, iptables can do filters and firewall rules by usernames, by group IDs and user profiles, by source and destination ports, by source host and destination hosts, by URLs, by IP addresses, by packet ID flags, by protocols, and a lot more including filtering by MAC address.

This entry assumes that an existing proxy server is currently in place inside your network and you want to filter linux/windows client machines behind the proxy server using MAC address packet filtering by iptables.

Here's an entry on how to filter out MAC address using Linux IPTable firewall.


# yum -y install iptables


# rpm -qa iptables


Here's an iptables sample lines to filter out host based on MAC address using the currently in place proxy server or linux proxy gateway. Make sure you insert them from one of your existing iptables INPUT chains like so

# iptables -A INPUT -m mac --mac-source 00:02:A5:EC:00:8B -j DROP


# -A RH-Firewall-1-INPUT -m mac --mac-source 00:02:A5:EC:00:8B -j DROP


The command above would block a host with MAC Address 00:02:A5:EC:00:8B regardless of current IP address and packet/port source and destinations.

Extending MAC Address Filters via Iptables

If you want to allow port 80 for a host with MAC address 00:02:A5:EC:00:8B , simply insert this line to your existing /etc/sysconfig/iptables firewall rules right after your INPUT chain

# iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:02:A5:EC:00:8B -j ACCEPT


# -A RH-Firewall-1-INPUT -p tcp --destination-port 80 -m mac --mac-source 00:02:A5:EC:00:8B -j ACCEPT


Iptables is one powerful linux packet filtering firewall specially when properly tweaked and modified to fit your needs. If you wish to know more of iptables, read the man page. Further iptables reading can be found here.

May the iptables keeps your linux boxes protected as always.



Roger said...

Can you help me to block proxy IP using iptables?

For example, I can download the proxy servers IP:port from the fresh TXT proxy list on

Then I want to block all this IP and port combinations.

VeRTiTO said...

alternatively, you can directly block them

# route add -host IP-ADDRESS reject

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy