> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Grant Taylor > Sent: Monday, August 29, 2005 10:28 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Allowing access only some sites - onely some mac address > > Sebastião Antônio Campos (GWA) wrote: > > I have a list of the mac address 00:0c:6E:11:E8:B0, > 00:D8:02:D8:C8:DF, > > 00:E7:05:C9:07:EA............ and and I'd like that only these mac > > address could access only the following IP: 200.221.2.128, > > 200.221.2.129, 200.221.2.130, 200.221.2.131, 200.205.144.75, > > 200.205.144.76. But the other mac address could access everything. > > I would be tempted to do something like the following: > > # Create a new chain to put the allowed sites in for filtered MACs. > iptables -t filter -N MACFilteredSites > > # Watch for a specific MAC address and jump to said chain on matches. > iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac > --mac-source 00:0c:6E:11:E8:B0 -j MACFilterdSites iptables -t > filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source > 00:D8:02:D8:C8:DF -j MACFilterdSites iptables -t filter -A > FORWARD -i ${LAN} -o ${INet} -m mac --mac-source > 00:E7:05:C9:07:EA -j MACFilterdSites > > # Only allow the filtered MACs to go to these sites (IP addresses). > # Note: We do not need to test for -i and -o interfaces b/c > we tested for this before we got to this chain. > iptables -t filter -A MACFilteredSites -d 200.221.2.128 -j > RETURN iptables -t filter -A MACFilteredSites -d > 200.221.2.129 -j RETURN iptables -t filter -A > MACFilteredSites -d 200.221.2.130 -j RETURN iptables -t > filter -A MACFilteredSites -d 200.221.2.131 -j RETURN > iptables -t filter -A MACFilteredSites -d 200.205.144.75 -j > RETURN iptables -t filter -A MACFilteredSites -d > 200.205.144.76 -j RETURN iptables -t filter -A > MACFilteredSites -j LOG iptables -t filter -A MACFilteredSites -j DROP > > > > Grant. . . . > You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time. If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =) Derick Anderson
