Best way to setup at MAC ADDRESS firewall
Lisa Kachold
lisakachold at obnosis.com
Tue May 5 18:00:20 MST 2009
Use iptables:
http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html
GUI tools and scripts exist to help you with the configuration of ipchains.
See:
- EasyFw <http://www.linux-kheops.com/pub/easyfw/> - Tcl/Tk - RPM
available from web site.
RPM installs command: /usr/local/bin/easyfw
- Firestarter <http://firestarter.sourceforge.net/> - Configuration of
firewall and real-time hit monitor for the Gnome desktop. Configures
ipchains (kernel 2.2) and iptables (kernel 2.4)
- Firewall Builder <http://www.fwbuilder.org/> - iptables, ipfilter and
OpenBSD PF. (GTK--)
Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)
Tools for iptables configuration:
- Webmin <http://www.webmin.com/webmin/> - Linux web admin tool
- Shorewall <http://shorewall.sourceforge.net/>
- NARC: Netfilter Automatic Rule
Configurator<http://www.knowplace.org/netfilter/narc.html>
What is your distro?
Webmin might assist you the easiest?
But basically, an iptable is a text file.
iptables is daemon that runs.
you can save the tables to text on the fly:
iptables-save >/root/tablesfiles
without saving them forever and edit them to look something like (change for
your ports and your mac addresses) this very basic version:
# Generated by iptables-save v1.4.1.1 on Tue May 5 17:50:52 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [373535:34202389]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mac --mac-source 00:14:BF:7A:4D:2D -j ACCEPT
-A INPUT -m mac --mac-source 00:18:DE:A5:00:41 -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 204.13.248.71/32 -p tcp -m tcp --dport 2525 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 631 -j DROP
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 52421 -j DROP
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 52421 -j DROP
-A INPUT -s 192.168.2.0/24 -p tcp -m tcp -j DROP
-A INPUT -s 192.168.2.0/24 -p udp -m udp -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 68 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 631 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 52421 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue May 5 17:50:52 2009
# /sbin/iptables-restore </root/tablesfiles
# /etc/init.d/iptables save
# chkconfig iptables on on
On Tue, May 5, 2009 at 5:30 PM, wayne <waydavis at cox.net> wrote:
> I have a situation where I will want to prevent individuals from
> connecting to my server based on their MAC id. I've not selected
> ANYTHING yet... suggestions? A nice GUI frontend would be cool. :-)
> (Kubuntu 8.04.2)
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090505/14db1f6b/attachment.htm
More information about the PLUG-discuss
mailing list