Best way to setup at MAC ADDRESS firewall

Lisa Kachold lisakachold at obnosis.com
Wed May 6 04:18:27 MST 2009 

I think Jon is using a different term for the word "firewall" than I use.  I
prefer to use multiple OSI layer "gates" from iptables on a machine to NAT,
subnetting and Layer 2 VLANing to ensure various kinds of security
internally.  I.E. I don't allow administration on a shared user network
where packets can be sniffed, or LDAP/NIS unless it's protected via switch
or other VLAN.

MAC Address filtering is common for firewalling where subnetting has not
been used.

For instance, for some strange reason, zones are not separated either by
different subnet address or VLAN, and/or interface, one could add additonal
MAC filtering.  It's also useful for wireless, if you don't use radius to
renew your server-key minutes before it takes to web-crack it.  I.E. if you
setup wep-keys AND mac address filtering, it's fairly difficult to get
anything.

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:mac - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -j mac
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A mac -i eth1 -s 1.2.3.4 -m mac --mac-source 00:01:02:03:04:05 -j RETURN
-A mac -i eth1 -s 1.2.4.8 -m mac --mac-source 00:01:04:04:08:10 -j RETURN
-A mac -i eth0 -m mac --mac-source 00:0a:bc:dc:ba:98 -j RETURN
-A mac -j LOG --log-prefix "Invalid MAC "
-A mac -j DROP
COMMIT



On Tue, May 5, 2009 at 6:00 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Use iptables:
>
> http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html
>
> GUI tools and scripts exist to help you with the configuration of ipchains.
> See:
>
>    - EasyFw <http://www.linux-kheops.com/pub/easyfw/> - Tcl/Tk - RPM
>    available from web site.
>    RPM installs command: /usr/local/bin/easyfw
>    - Firestarter <http://firestarter.sourceforge.net/> - Configuration of
>    firewall and real-time hit monitor for the Gnome desktop. Configures
>    ipchains (kernel 2.2) and iptables (kernel 2.4)
>    - Firewall Builder <http://www.fwbuilder.org/> - iptables, ipfilter and
>    OpenBSD PF. (GTK--)
>
>  Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)
>
> Tools for iptables configuration:
>
>    - Webmin <http://www.webmin.com/webmin/> - Linux web admin tool
>    - Shorewall <http://shorewall.sourceforge.net/>
>    - NARC: Netfilter Automatic Rule Configurator<http://www.knowplace.org/netfilter/narc.html>
>
>
> What is your distro?
>
> Webmin might assist you the easiest?
>
> But basically, an iptable is a text file.
> iptables is daemon that runs.
> you can save the tables to text on the fly:
>
> iptables-save >/root/tablesfiles
>
> without saving them forever and edit them to look something like (change
> for your ports and your mac addresses) this very basic version:
>
> # Generated by iptables-save v1.4.1.1 on Tue May  5 17:50:52 2009
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [373535:34202389]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> -A INPUT -m mac --mac-source 00:14:BF:7A:4D:2D -j ACCEPT
> -A INPUT -m mac --mac-source 00:18:DE:A5:00:41 -j ACCEPT
> -A INPUT -j DROP
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>
> -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
> -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -s 204.13.248.71/32 -p tcp -m tcp --dport 2525 -j ACCEPT
>
> -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -j DROP
> -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 68 -j ACCEPT
> -A INPUT -s 192.168.1.1/32 -p udp -m udp --dport 68 -j ACCEPT
>
> -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
> -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 123 -j ACCEPT
>
> -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 631 -j DROP
> -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j DROP
>
> -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 52421 -j DROP
> -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 52421 -j DROP
> -A INPUT -s 192.168.2.0/24 -p tcp -m tcp -j DROP
>
> -A INPUT -s 192.168.2.0/24 -p udp -m udp -j DROP
> -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -p udp -m udp --dport 68 -j REJECT --reject-with icmp-port-unreachable
>
> -A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -p udp -m udp --dport 631 -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -p udp -m udp --dport 52421 -j REJECT --reject-with icmp-port-unreachable
>
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Tue May  5 17:50:52 2009
>
>
>
>
> # /sbin/iptables-restore </root/tablesfiles
> # /etc/init.d/iptables save
> # chkconfig iptables on on
>
>
> On Tue, May 5, 2009 at 5:30 PM, wayne <waydavis at cox.net> wrote:
>
>> I have a situation where I will want to prevent individuals from
>> connecting to my server based on their MAC id.  I've not selected
>> ANYTHING yet... suggestions?    A nice GUI frontend would be cool. :-)
>> (Kubuntu 8.04.2)
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> www.obnosis.com (503)754-4452
> "Contradictions do not exist." A. Rand
>



-- 
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090506/87d3ea20/attachment.htm

More information about the PLUG-discuss mailing list