* Blocking machines by both Mac Address and IP address
@ 2010-10-23 22:19 Scott Mayo
2010-10-23 22:33 ` Andrew Beverley
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Scott Mayo @ 2010-10-23 22:19 UTC (permalink / raw)
To: netfilter
I have my DHCP server setup so that it hands out IP adresses according
to a machine's Mac address. Is there a way to deny traffic to the
internet by both MAC address and IP address?
i.e. If MAC address 00:11:22:33:44:55 is given IP address 192.168.0.1
by DHCP then that should be the only combo that can get to the outside
world. If the IP address is changed to something else or if another
machine that has a different MAC address is given the IP address
192.168.0.1 statically, then in neither situation should the machine
be able to get out to the world.
Thanks for any info.
--
Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-23 22:19 Blocking machines by both Mac Address and IP address Scott Mayo
@ 2010-10-23 22:33 ` Andrew Beverley
2010-10-24 13:14 ` Scott Mayo
2010-10-24 14:22 ` Pascal Hambourg
2010-10-23 22:51 ` Jan Engelhardt
2010-10-25 16:02 ` Grant Taylor
2 siblings, 2 replies; 7+ messages in thread
From: Andrew Beverley @ 2010-10-23 22:33 UTC (permalink / raw)
To: Scott Mayo; +Cc: netfilter
On Sat, 2010-10-23 at 17:19 -0500, Scott Mayo wrote:
> I have my DHCP server setup so that it hands out IP adresses according
> to a machine's Mac address. Is there a way to deny traffic to the
> internet by both MAC address and IP address?
>
> i.e. If MAC address 00:11:22:33:44:55 is given IP address 192.168.0.1
> by DHCP then that should be the only combo that can get to the outside
> world. If the IP address is changed to something else or if another
> machine that has a different MAC address is given the IP address
> 192.168.0.1 statically, then in neither situation should the machine
> be able to get out to the world.
Something like this...
Set your default policy to drop:
iptables -t mangle -P FORWARD DROP
Then set up a rule for each client that matches both IP address and MAC:
iptables -t mangle -A FORWARD -s 1.2.3.4 \
-m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT
Andy
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-23 22:19 Blocking machines by both Mac Address and IP address Scott Mayo
2010-10-23 22:33 ` Andrew Beverley
@ 2010-10-23 22:51 ` Jan Engelhardt
2010-10-25 16:02 ` Grant Taylor
2 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-10-23 22:51 UTC (permalink / raw)
To: Scott Mayo; +Cc: netfilter
On Sunday 2010-10-24 00:19, Scott Mayo wrote:
>I have my DHCP server setup so that it hands out IP adresses according
>to a machine's Mac address. Is there a way to deny traffic to the
>internet by both MAC address and IP address?
Combine -s with -m mac.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-23 22:33 ` Andrew Beverley
@ 2010-10-24 13:14 ` Scott Mayo
2010-10-24 14:22 ` Pascal Hambourg
1 sibling, 0 replies; 7+ messages in thread
From: Scott Mayo @ 2010-10-24 13:14 UTC (permalink / raw)
To: netfilter
On Sat, Oct 23, 2010 at 5:33 PM, Andrew Beverley <andy@andybev.com> wrote:
> On Sat, 2010-10-23 at 17:19 -0500, Scott Mayo wrote:
>> I have my DHCP server setup so that it hands out IP adresses according
>> to a machine's Mac address. Is there a way to deny traffic to the
>> internet by both MAC address and IP address?
>>
>> i.e. If MAC address 00:11:22:33:44:55 is given IP address 192.168.0.1
>> by DHCP then that should be the only combo that can get to the outside
>> world. If the IP address is changed to something else or if another
>> machine that has a different MAC address is given the IP address
>> 192.168.0.1 statically, then in neither situation should the machine
>> be able to get out to the world.
>
> Something like this...
>
>
> Set your default policy to drop:
>
> iptables -t mangle -P FORWARD DROP
>
> Then set up a rule for each client that matches both IP address and MAC:
>
> iptables -t mangle -A FORWARD -s 1.2.3.4 \
> -m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT
>
>
>
> Andy
>
>
>
Thanks for the help everyone. I will try this out next week. I
figured there was a way to do it, but I am still not the greatest with
IPTABLES. Not sure that I have ever done anything with the mangle
table.
Thanks again.
--
Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-23 22:33 ` Andrew Beverley
2010-10-24 13:14 ` Scott Mayo
@ 2010-10-24 14:22 ` Pascal Hambourg
2010-10-24 14:46 ` Andrew Beverley
1 sibling, 1 reply; 7+ messages in thread
From: Pascal Hambourg @ 2010-10-24 14:22 UTC (permalink / raw)
To: netfilter
Hello,
Andrew Beverley a écrit :
>
> Set your default policy to drop:
>
> iptables -t mangle -P FORWARD DROP
>
> Then set up a rule for each client that matches both IP address and MAC:
>
> iptables -t mangle -A FORWARD -s 1.2.3.4 \
> -m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT
The 'mangle' table is not intended for filtering. The 'filter' table is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-24 14:22 ` Pascal Hambourg
@ 2010-10-24 14:46 ` Andrew Beverley
0 siblings, 0 replies; 7+ messages in thread
From: Andrew Beverley @ 2010-10-24 14:46 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
> >
> > Set your default policy to drop:
> >
> > iptables -t mangle -P FORWARD DROP
> >
> > Then set up a rule for each client that matches both IP address and MAC:
> >
> > iptables -t mangle -A FORWARD -s 1.2.3.4 \
> > -m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT
>
> The 'mangle' table is not intended for filtering. The 'filter' table is.
Ooops, I meant filter. Been using the mangle table too much recently :)
Andy
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Blocking machines by both Mac Address and IP address
2010-10-23 22:19 Blocking machines by both Mac Address and IP address Scott Mayo
2010-10-23 22:33 ` Andrew Beverley
2010-10-23 22:51 ` Jan Engelhardt
@ 2010-10-25 16:02 ` Grant Taylor
2 siblings, 0 replies; 7+ messages in thread
From: Grant Taylor @ 2010-10-25 16:02 UTC (permalink / raw)
To: Mail List - Netfilter
On 10/23/10 17:19, Scott Mayo wrote:
> i.e. If MAC address 00:11:22:33:44:55 is given IP address
> 192.168.0.1 by DHCP then that should be the only combo that can get
> to the outside world. If the IP address is changed to something else
> or if another machine that has a different MAC address is given the
> IP address 192.168.0.1 statically, then in neither situation should
> the machine be able to get out to the world.
I would suggest that you reverse your logic a bit. Only allow the
machines to access the internet if the MAC and IP address are correct.
Any other combination should fail.
This is the old adage of "allow what you want and block the rest" not
"block what you want and allow the rest". It is too easy to change an
IP and / or MAC address to get around the filters that selectively block.
Grant. . . .
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-10-25 16:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-23 22:19 Blocking machines by both Mac Address and IP address Scott Mayo
2010-10-23 22:33 ` Andrew Beverley
2010-10-24 13:14 ` Scott Mayo
2010-10-24 14:22 ` Pascal Hambourg
2010-10-24 14:46 ` Andrew Beverley
2010-10-23 22:51 ` Jan Engelhardt
2010-10-25 16:02 ` Grant Taylor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.