Sometime it is necessary to filter address using mac address. A mac address is acronym for media access control address, is a unique address assigned to almost all-networking hardware such as Ethernet cards, router etc (see mac address at wikipedia for more information).
Iptables comes with MAC module. this matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the chains:
- PREROUTING
- FORWARD
- INPUT
iptables blocking with mac address
Drop all connection coming from mac address 00:0F:EA:91:04:08 (add command to your firewall script)
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
iptables allowing with mac address
Allow port 22 for mac address 00:0F:EA:91:04:07
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
Read man page of iptables for more information.
- Email this to a friend
- Printable version
- Rss Feed
- Last Updated: Dec/27/2005
{ 17 comments… read them below or add one }
Thanks!
hello, how to blok ALL mac address, so i can permit only privileged mac adresses. thanks in advance
You can setup default policy to drop all packets and allow selected incoming packets from MAC based ip filtering.
Set default INPUT to deny all
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m mac –mac-source
00:0F:EA:91:04:08 -j ACCEPT
HTH
Does anybody know if this works on Suse 10.0? I need to filter a few MACs.
Is there a way to get the MAC address of an attacker via iptable logging? All of the log levels that I’ve tried give me my server’s MAC address. I’d love to get the MAC of the person I’m blocking so I can block on their MAC in case they try using a proxy.
ex: -A RH-Firewall-1-INPUT -s ATTACKER_IP_HERE -j LOG –log-level 4 –log-prefix “DROP ATTACKER: ”
this results in logs such as…
Mar 21 13:38:41 server_name kernel: DROP ATTACKER: IN=eth0 OUT= MAC=MY_SERVER_MAC_ADDR_HERE SRC=ATTACKER_IP_HERE DST=MY_SERVER_IP LEN=48 TOS=0×00 PREC=0×00 TTL=114 ID=50714 DF PROTO=TCP SPT=39616 DPT=80 WINDOW=65535 RES=0×00 SYN URGP=0
hello i am using iptables
now i need that only those mac id can accept all other droped who can i do this
Hello. I have a problem when i try to log with iptables. iptables v1.3.8: Unknown arg `LOG’
what should i do ?
please i want to ban everyone of using my shell which is port 22 but keep their access on other ports and i owuld like only my PC to log to shell from my MAC address, anyone can help plz???
to ZEE
Allow an ip or network group to conect via SSH
/etc/host.allow
SSHD:192.168.0.4 or something like this 192.168.0.
Deny all conection on SSH
/etc/host.deny
SSHD:ALL
I think it will help you
Great!
You are good ones
Caveman
Is there a way to use this in conjunction with the source IP. So that you can enforce a MAC address to only be allowed through if it is using a specific IP address?
–
Thanks
Shawn
Sure, you can use -s IP-address option. Verify source IP 192.168.1.200 along with MAC 00:0F:EA:91:04:08 and if both matched drop it:
iptables -A INPUT -p tcp -s 192.168.1.200 -m mac --mac-source 00:0F:EA:91:04:08 -j DROPCould someone help.
I have to arm machines whit linux kernel 2.6
I wan’t to make a remote acess but i can’t…
one I have been defined a mac address ifconfig eth0 hw ether 0B:62:9D:6D:1A:34
I made ping suceful but when I try ftp ore telnet it refuse the conection…
Hello
I wanna config a router with iptables for my WLAN. my problem, there is a database (mysql) there are all mac adresses, whitch have access…
is there a way to marry iptables with mysql??
best & THX coop
I don’t think so.. you need to take help of perl or python and send those IPs using system or exec or “ call to iptables.
Coop>
Here is a script i use to write my iptables.
#!/usr/bin/perl use DBI; $sql_user = "dhcpd"; $sql_password = "*******"; $sql_database = "dhcpd"; $sql_hostname = "localhost"; $sql_port = "3306"; $dsn = "DBI:mysql:database=$sql_database;host=$sql_hostname;port=$sql_port"; print "-----------------------------------------------\n"; print " Building iptables config from mysql \n"; print "-----------------------------------------------\n"; print "Getting information from mysql database..."; $dbh = DBI->connect($dsn, $sql_user, $sql_password); $getmac = $dbh->prepare("select mac from trusted order by ip"); $getip = $dbh->prepare("select ip from trusted order by ip"); $getmac->execute; $getip->execute; print "Done\n"; print "Creating temp file..."; #print `rm iptables.conf.temp`; open (CONFIGFILE, '>>iptables.conf.temp'); print "Done\n"; print "Start writing configfile...\n-----------------------------------------------\n"; $count = 0; while ( @getmac = $getmac->fetchrow_array, @getip = $getip->fetchrow_array ) { @mac[$count] = @getmac; @ip[$count] = @getip; $count++; } $dbh->disconnect; $count = 0; foreach (@mac) { print CONFIGFILE "iptables -A INPUT -p tcp -s @ip[$count] -m mac --mac-source @mac[$count] -j ACCEPT " . ""; $count++; print "iptables -A INPUT -p tcp -s @ip[$count] -m mac --mac-source @mac[$count] -j ACCEPT" . "\n"; } close (CONFIGFILE); print "-----------------------------------------------\nDone.\n"; print `mv iptables.conf.temp iptables.conf`; sleep(1); #print `echo "do somthing here :)"`I also made one for dhcpd so unknown mac’s logging on my wireless will be in a diffrent subnet.
Thanks for sharing perl script.