Comments on: Iptables MAC Address Filtering

By: Dert

Dert — Sat, 22 Oct 2011 01:07:12 +0000

Jim, i think no because i haven’t found in man special mac-adress diapason system support (like for IP-adresses)

By: Jim

Jim — Fri, 26 Aug 2011 21:41:39 +0000

Is it possible to block all MACs except a range? For example, I want to allow all devices from a specific manufacturer such as 11.22.33.00.00.00 through 11.22.33.FF.FF.FF?

By: Madhab

Madhab — Mon, 06 Jun 2011 14:28:21 +0000

Hi,

I wanna block internet some computer PC with mac address which rule can do it

By: Andy

Andy — Fri, 08 Apr 2011 18:59:59 +0000

Can I use this tutorial to create a MAC filter between a wireless network switch and the core? I need access to the network resources so I can’t use a router. What would you suggest?

By: raj

raj — Thu, 17 Jun 2010 10:59:09 +0000

Hi,

I want to block all MAC address except 1. Any clue.

I do not want to block TCP or UDP Traffic at all.

Thanks

By: Tawfiq

Tawfiq — Wed, 12 May 2010 04:35:00 +0000

is it possible to put the info in a separate file and call it from your main firewall script?
lets say, there is a file called /root/scripts/ip-mac-list
where u have the info written as,
[code] 192.168.0.1 00:13:xx:xx:xx:xx
[/code]

By: zazuge

zazuge — Fri, 26 Mar 2010 14:41:27 +0000

to Zohaib Hussain
if you have a proxy server then use password authentication
better if you have a managed switch
statically fix the ip address and MAC for every switch port
that way the only way to access the network is to use a certain IP address with the Original MAC address of the NIC while plugged to the correct switch port
and i don’t think that there is any way around this
check also VLAN

By: Robert

Robert — Wed, 24 Mar 2010 17:02:15 +0000

Zohaib,

Sorry to say this but using Mac address filtering to control access to your network is like using a locked screen door to control access to your house. It keeps the generally honest out but doesn’t stop those who’s motives are less than pure. It’s a good general backup to the main security, but it is not a main security measure in and off itself. We use passwords and Mac filtering. Mac Address filtering makes it harder to use a stolen or hacked password.

By: Zohaib Hussain

Zohaib Hussain — Mon, 22 Feb 2010 06:22:20 +0000

Dear All,

please help me i have different prb facing i m running LAN network with LInux i m facing the prb of mac spoofing but some of users whom i blocked by my server they user mac address changer different softwares and by this software they detect any Online Active user mac address and just change the IP Address and use internet and when i try to block that mac address by iptables but i cant block that mac address because its mine online active users mac and who users blocked the connection of my LAN they do these things and use mac address changing software and get solid and valid legal mac address by network scanning. …. what i do i m much confused

By: Atheya

Atheya — Mon, 02 Nov 2009 00:50:22 +0000

How do I execute this Perl script?

By: Vivek Gite

Vivek Gite — Mon, 06 Apr 2009 14:19:17 +0000

Thanks for sharing perl script.

By: Lillholm

Lillholm — Mon, 06 Apr 2009 12:30:35 +0000

Coop> Here is a script i use to write my iptables.

#!/usr/bin/perl
use DBI;
$sql_user			= "dhcpd";
$sql_password			= "*******";
$sql_database			= "dhcpd";
$sql_hostname			= "localhost";
$sql_port			= "3306";
$dsn		= "DBI:mysql:database=$sql_database;host=$sql_hostname;port=$sql_port";
print "-----------------------------------------------\n";
print "      Building iptables config from mysql      \n";
print "-----------------------------------------------\n";
print "Getting information from  mysql database...";
$dbh = DBI->connect($dsn, $sql_user, $sql_password);
$getmac = $dbh->prepare("select mac from trusted order by ip");
$getip = $dbh->prepare("select ip from trusted order by ip");
$getmac->execute;
$getip->execute;
print "Done\n";
print "Creating temp file...";
#print `rm iptables.conf.temp`;
open (CONFIGFILE, '>>iptables.conf.temp');
print "Done\n";
print "Start writing configfile...\n-----------------------------------------------\n";
$count 		= 0;
while ( @getmac = $getmac->fetchrow_array, @getip = $getip->fetchrow_array ) {
@mac[$count] = @getmac;
@ip[$count] = @getip;
$count++;
}
$dbh->disconnect;
$count = 0;
foreach (@mac) {
print CONFIGFILE "iptables -A INPUT -p tcp -s @ip[$count] -m mac --mac-source @mac[$count] -j ACCEPT
" . 			 "";
$count++;
print "iptables -A INPUT -p tcp -s @ip[$count] -m mac --mac-source @mac[$count] -j ACCEPT" . "\n";
}
close (CONFIGFILE);
print "-----------------------------------------------\nDone.\n";
print `mv iptables.conf.temp iptables.conf`;
sleep(1);
#print `echo "do somthing here :)"`

I also made one for dhcpd so unknown mac's logging on my wireless will be in a diffrent subnet.

By: Vivek Gite

Vivek Gite — Thu, 26 Mar 2009 16:07:59 +0000

I don’t think so.. you need to take help of perl or python and send those IPs using system or exec or “ call to iptables.

By: coop

coop — Thu, 26 Mar 2009 13:46:58 +0000

Hello

I wanna config a router with iptables for my WLAN. my problem, there is a database (mysql) there are all mac adresses, whitch have access…

is there a way to marry iptables with mysql??

best & THX coop

By: Luis

Luis — Tue, 08 Jul 2008 16:07:57 +0000

Could someone help.
I have to arm machines whit linux kernel 2.6
I wan’t to make a remote acess but i can’t…
one I have been defined a mac address ifconfig eth0 hw ether 0B:62:9D:6D:1A:34
I made ping suceful but when I try ftp ore telnet it refuse the conection…

By: vivek

vivek — Mon, 12 May 2008 20:33:26 +0000

Sure, you can use -s IP-address option. Verify source IP 192.168.1.200 along with MAC 00:0F:EA:91:04:08 and if both matched drop it:
iptables -A INPUT -p tcp -s 192.168.1.200 -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

By: Shawn

Shawn — Mon, 12 May 2008 20:26:01 +0000

Is there a way to use this in conjunction with the source IP. So that you can enforce a MAC address to only be allowed through if it is using a specific IP address?

–
Thanks
Shawn

By: Orvalho J Augusto

Orvalho J Augusto — Wed, 07 May 2008 02:32:16 +0000

Great!

You are good ones
Caveman

By: Lilian

Lilian — Wed, 28 Nov 2007 05:57:13 +0000

to ZEE

Allow an ip or network group to conect via SSH
/etc/host.allow

SSHD:192.168.0.4 or something like this 192.168.0.

Deny all conection on SSH
/etc/host.deny

SSHD:ALL

I think it will help you

By: zee

zee — Mon, 19 Nov 2007 14:50:32 +0000

please i want to ban everyone of using my shell which is port 22 but keep their access on other ports and i owuld like only my PC to log to shell from my MAC address, anyone can help plz???