I think Jon is using a different term for the word "firewall" than I use. I prefer to use multiple OSI layer "gates" from iptables on a machine to NAT, subnetting and Layer 2 VLANing to ensure various kinds of security internally. I.E. I don't allow administration on a shared user network where packets can be sniffed, or LDAP/NIS unless it's protected via switch or other VLAN.
MAC Address filtering is common for firewalling where subnetting has not been used.
For instance, for some strange reason, zones are not separated either by different subnet address or VLAN, and/or interface, one could add additonal MAC filtering. It's also useful for wireless, if you don't use radius to renew your server-key minutes before it takes to web-crack it. I.E. if you setup wep-keys AND mac address filtering, it's fairly difficult to get anything.
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:mac - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -j mac
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A mac -i eth1 -s 1.2.3.4 -m mac --mac-source 00:01:02:03:04:05 -j RETURN
-A mac -i eth1 -s 1.2.4.8 -m mac --mac-source 00:01:04:04:08:10 -j RETURN
-A mac -i eth0 -m mac --mac-source 00:0a:bc:dc:ba:98 -j RETURN
-A mac -j LOG --log-prefix "Invalid MAC "
-A mac -j DROP
COMMIT
Use iptables:
http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html
GUI tools and scripts exist to help you with the configuration of ipchains. See:
- EasyFw - Tcl/Tk - RPM available from web site.
RPM installs command: /usr/local/bin/easyfw- Firestarter - Configuration of firewall and real-time hit monitor for the Gnome desktop. Configures ipchains (kernel 2.2) and iptables (kernel 2.4)
- Firewall Builder - iptables, ipfilter and OpenBSD PF. (GTK--)
Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)
Tools for iptables configuration:
- Webmin - Linux web admin tool
- Shorewall
- NARC: Netfilter Automatic Rule Configurator
What is your distro?
Webmin might assist you the easiest?
But basically, an iptable is a text file.
iptables is daemon that runs.
you can save the tables to text on the fly:
iptables-save >/root/tablesfiles
without saving them forever and edit them to look something like (change for your ports and your mac addresses) this very basic version:# Generated by iptables-save v1.4.1.1 on Tue May 5 17:50:52 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [373535:34202389]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mac --mac-source 00:14:BF:7A:4D:2D -j ACCEPT
-A INPUT -m mac --mac-source 00:18:DE:A5:00:41 -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 204.13.248.71/32 -p tcp -m tcp --dport 2525 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 631 -j DROP
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j DROP
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 52421 -j DROP
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 52421 -j DROP
-A INPUT -s 192.168.2.0/24 -p tcp -m tcp -j DROP
-A INPUT -s 192.168.2.0/24 -p udp -m udp -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 68 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 631 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 52421 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue May 5 17:50:52 2009# /sbin/iptables-restore </root/tablesfiles
# /etc/init.d/iptables save
# chkconfig iptables on on--On Tue, May 5, 2009 at 5:30 PM, wayne <waydavis@cox.net> wrote:I have a situation where I will want to prevent individuals from
connecting to my server based on their MAC id. I've not selected
ANYTHING yet... suggestions? A nice GUI frontend would be cool. :-)
(Kubuntu 8.04.2)
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand