Re: allowing connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-09-10 at 14:18, Payal Rathod wrote:
> Hi,
> Right now I am allowing only my client's LAN access one of my 
> design's machine from the internet. Their LAN is a simple network,
> with a single IP and other machines are masqueraded. Now I want to allow
> only one of their machine to access my machine. Can I do it? I mean 
> the machine is on 192.168.1.x series of IP, but can I restrict it
> on mac address basis? If yes, how do I do it?
> 
> With warm regards,
> -Payal

so essentially:

+------------+  +----------------+
| CLIENT LAN |--| CLIENT MACHINE |
+------------+  +----------------+
      |
+-----------+
| CLIENT FW |
+-----------+
      |
      |
+----------+
| INTERNET |
+----------+
      |
      |
+---------+
| YOUR FW |
+---------+
      |
+---------+  +----------------+
|YOUR LAN |--| DESIGN MACHINE |
+---------+  +----------------+

Right you allow whatever IP all of "Client LAN" is MASQ'ed behind to 
access "Design Machine."

To answer the question, can you filter by MAC address--the answer is 
a resounding, "no!"  The MAC address of "Client Machine" is stripped 
off by "Client FW" never to be seen again by any network device.

The only MAC address that you'll see on the external interface of
"Your FW" is that of your Internet router.

My suggestion:  protect the resource in question with a
username/password or certificate or whatever authentication suits you.
Only give the one person who needs access credentials to get in.
Keep the filtering policy as-is.

-j

-- 
Jason Opperisano <opie@xxxxxxxxxxx>



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux