| View previous topic :: View next topic |
| Author |
Message |
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
 Posted: Mon Jan 06, 2003 12:33 am Post subject: iptables and MAC filtering. |
 |
|
I want my router (using iptables), to allow a list of MACs (10 computers) to access the internet (forwarding eth1 -> eth0), but only these 10 computers.
So, if somebody else puts his computer on the internal network, he will not be able to use the internet, because the router is only forwarding the trafic on those 10 MAC addresses.
How can I do that?
_________________
Queen Rocks. |
|
| Back to top |
|
 |
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Mon Jan 06, 2003 1:59 am Post subject: Re: iptables and MAC filtering. |
|
|
with netfilter. example (don't copy directly...): | Code: | #!/bin/bash
EXT_IF=eth0
LAN_IF=eth1
iptables -P FORWARD DROP
# edit: bugfix ;-)
#for addr in $(/etc/MAC.allowed); do
for addr in $(</etc/MAC.allowed); do
iptables -A FORWARD -i $LAN_IF -o $EXT_IF -m mac --mac-source $addr -j ACCEPT
done |
the file /etc/MAC.allowed used in the example above contains all the mac addresses you want to allow access for, one per line.
hth, jukka
Last edited by jukka on Wed Jan 08, 2003 11:28 am; edited 1 time in total |
|
| Back to top |
|
|
rtn
Guru
Joined: 15 Nov 2002
Posts: 427
|
| Posted: Mon Jan 06, 2003 6:36 am Post subject: |
|
|
You'll need to make sure you include the MAC filtering into the kernel
as well.
| Code: | | CONFIG_IP_NF_MATCH_MAC=y |
--rtn |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Mon Jan 06, 2003 11:09 am Post subject: |
|
|
Thanks, you are great 
Now I'll go and change my /etc/init.d/iptables to run a script instead of loading the saved state
_________________
Queen Rocks. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Mon Jan 06, 2003 5:38 pm Post subject: |
|
|
I also want to make sure that only people who has been given an IP by the DHCP is being forwarded, and not people who use a static IP with the same configuration.
How do I do that???
_________________
Queen Rocks. |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Mon Jan 06, 2003 6:29 pm Post subject: |
|
|
| GurliGebis wrote: | I also want to make sure that only people who has been given an IP by the DHCP is being forwarded, and not people who use a static IP with the same configuration.
How do I do that??? |
i think you'll have to parse the dhcpd.leases file. but maybe there's a better solution. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Mon Jan 06, 2003 9:03 pm Post subject: |
|
|
There has to be, because clients that timeout doesn't get removed from that file.
_________________
Queen Rocks. |
|
| Back to top |
|
|
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Tue Jan 07, 2003 12:00 am Post subject: |
|
|
Tell iptables to accept packets only from your DHCP netblock, then.
_________________
I don't believe in witty sigs. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 12:01 am Post subject: |
|
|
But what if someone sets his computer to have a static IP, that exist inside my DHCP range????
_________________
Queen Rocks. |
|
| Back to top |
|
|
psp
Tux's lil' helper
Joined: 06 Aug 2002
Posts: 120
Location: Cape Town, South Africa
|
| Posted: Tue Jan 07, 2003 1:20 pm Post subject: |
|
|
| There is no easy way around this... Perhaps you should look into using authenticated proxy servers or such..? |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 1:55 pm Post subject: |
|
|
Nahh, going to only allow the MACs, that way it is pretty limited.
_________________
Queen Rocks. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 6:25 pm Post subject: |
|
|
jukka, your code doesn't work.
Can somebody please make some that does?
_________________
Queen Rocks. |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Tue Jan 07, 2003 6:56 pm Post subject: |
|
|
| GurliGebis wrote: | jukka, your code doesn't work.
Can somebody please make some that does? |
oops. replace this line | Code: | | for addr in $(/etc/MAC.allowed); do |
with this: | Code: | | for addr in $(</etc/MAC.allowed); do |
sorry! |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 7:05 pm Post subject: |
|
|
Got it working now (Used another metode close to yours)
Now, how do I check if the $addr is a valid MAC address (not that it exist on the network, just that it is a valid address)?
_________________
Queen Rocks. |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Tue Jan 07, 2003 7:14 pm Post subject: |
|
|
| GurliGebis wrote: | | Now, how do I check if the $addr is a valid MAC address (not that it exist on the network, just that it is a valid address)? |
quick bash hack: | Code: | if [ "${addr//[a-fA-F0-9:]/}" ]; then
# $addr is a valid mac address (or very close to ;-))
else
# $addr is not valid
fi |
in english: remove all characters [a-zA-F0-9:] from the contents of 'addr'. if something remains, addr is definitely invalid.
for 100% correct results you should use a regex, e.g. with sed or grep. example function: | Code: | checkmac()
{
echo "$1" | grep '^\([[:xdigit:]]\{2\}:\)\{5\}[[:xdigit:]]\{2\}$' >/dev/null && return 0
return 1;
} |
you can call this function and pass a mac address as an argument, as in | Code: | if checkmac "$addr"; then
# $addr is a valid mac address
else
# $addr is not valid
fi |
hth, jukka
Last edited by jukka on Tue Jan 07, 2003 7:36 pm; edited 2 times in total |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 7:23 pm Post subject: |
|
|
Ok, now how about the xx:xx:xx:xx:xx:xx:xx:xx notation???
Can't that be done with sed? (If it can, will you write a little function for that too?)
_________________
Queen Rocks. |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Tue Jan 07, 2003 7:32 pm Post subject: |
|
|
| GurliGebis wrote: | | Ok, now how about the xx:xx:xx:xx:xx:xx:xx:xx notation??? |
do you mean xx:xx:xx:xx:xx:xx? exactly that notation does the bash hack ckeck...
| Quote: | | Can't that be done with sed? (If it can, will you write a little function for that too?) |
already done, see above. you were too fast  |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Tue Jan 07, 2003 9:17 pm Post subject: |
|
|
hehe, I have to learn to read the whole post
_________________
Queen Rocks. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Wed Jan 08, 2003 2:34 am Post subject: |
|
|
well, I cant get it to work.
Will you please make a whole script, that does work? (Shouldn't take long, since the most is already there)
Here is my script, that return invalid on all addresses (even valid onces):
| Code: |
checkmac()
{
echo "$1" | grep '^\([[:xdigit:]]\{2\}:\)\{5\}[[:xdigit:]]\{2\}$' >/dev/null && return 0
return 1;
}
for addr in `cat /etc/mac.allow`; do
if checkmac "$addr"; then
echo "$addr is valid";
else
echo "$addr is not valid";
fi
done
|
_________________
Queen Rocks. |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Wed Jan 08, 2003 11:26 am Post subject: |
|
|
| GurliGebis wrote: | | well, I cant get it to work. [...] return invalid on all addresses (even valid onces) |
i just tested it and it works. should be correct.
| Quote: | | Will you please make a whole script, that does work? (Shouldn't take long, since the most is already there) |
wouldn't it be nice if a single word from "your" script was written by you?
please post the contents of /etc/mac.allow, maybe that helps.
btw: $(</etc/mac.allow) is equivalent to `cat /etc/mac.allow`, but faster. |
|
| Back to top |
|
|
GurliGebis
Retired Dev
Joined: 08 Aug 2002
Posts: 509
|
| Posted: Wed Jan 08, 2003 11:30 am Post subject: |
|
|
It works now, I made a misspelling in it (Not easy when you are tired)
So it is working now
Again, thanks for your help.
_________________
Queen Rocks. |
|
| Back to top |
|
|
|
Networking & Security
