linuxpakistan.net

Dear All Users.
Salam,

All you need to just copy these scripts and use them.

# touch /sbin/addmac
# chmod 744 /sbin/addmac
# pico /sbin/addmac

#
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# Script Created by Farrukh Ahmed of Linux Pakistan dot Net
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

f() { MAC=$1 ; shift ; echo "$MAC #$*"; }

allow() {
args=$1
args1=$2
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args #$args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_ALLOW

if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
alias cp='cp -i'
}

block() {
args=$1
alias cp='cp'
echo $args >> $MAC_DENY
grep -v $args $MAC_ALLOW > ${MAC_ALLOW}.tmp
cp -f ${MAC_ALLOW}.tmp $MAC_ALLOW
rm -f ${MAC_ALLOW}.tmp
}

deny() {
args=$1
args1=$2
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
args=$1
args1=$2
if [ $1 = "allow" ]; then
cat $MAC_ALLOW | grep $args1
else
cat $MAC_DENY | grep $args1
fi
}

unblock() {
args=$1
alias cp='cp'
echo $args >> $MAC_ALLOW
grep -v $args $MAC_DENY > ${MAC_DENY}.tmp
cp -f ${MAC_DENY}.tmp $MAC_DENY
rm -f ${MAC_DENY}.tmp
}

restore() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

# See how we were called.
case "$1" in
allow)
allow $2 $3
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3
;;
find)
find $2 $3
;;
restore)
restore $2
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|restore|unblock} MAC Address"
exit 1
esac

# touch /sbin/maccheck
# chmod 744 /sbin/maccheck
# pico /sbin/maccheck

#
# MAC Check Script
# This Script Will Add Allowed and Blocked Users in Firewall
#
#!/bin/sh

echo -e "Loading MAC Address...."
for MAC in `cat /etc/mac.allow`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat /etc/mac.deny`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

echo -e "MAC Address Loaded Successfully...."

My mac.allow file

# cat /etc/mac.allow
00:C0:05:01:87:20
00:C0:05:02:0E:92
00:C0:05:02:00:68
00:C0:05:01:87:20
00:C0:09:10:87:D0

My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91
00:00:0C:8E:55:11

You need to add following line in your /etc/rc.d/rc.local

exec /sbin/checkmac

Best Regards.

Great!

All these Cable Wala's are one of these days going to declare you as their Guru or patron Saint .

It is tradition that Chela / deciple present some thiing to Guru, being in virtual world would presenting a virtual Mithai/ Cake would be appropriate .

Aoa,/ Hi FA,

well written save it....but we can also done thing through SQUID PROXY.



Kind regards,
nomy

Salam O Alykum

Boss While i am the most dull minded of all the ppl, So i am still needing some explation for this file
wat to do for this file. Is it the part of /sbin/maccheck, Or we have to make separately the files for mac.allow and mac.deny

PLz Explain it a bit here and also tell us how to add the mac addresses in that file, By editing that files or there is some speciall command Like #sh /addmac, that you have told me on fone,

My mac.allow file

# cat /etc/mac.allow
00:C0:05:01:87:20
00:C0:05:02:0E:92
00:C0:05:02:00:68
00:C0:05:01:87:20
00:C0:09:10:87:D0

My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91
00:00:0C:8E:55:11

Will wait for your replay
Alwida

Dear sarthor,
Salam,

sarthor wrote:wat to do for this file. Is it the part of /sbin/maccheck, Or we have to make separately the files for mac.allow and mac.deny

Dude you don't need to create any file it will create file if it does not exits.

sarthor wrote:PLz Explain it a bit here and also tell us how to add the mac addresses in that file, By editing that files or there is some speciall command Like #sh /addmac, that you have told me on fone

Legend

1. Text in black color like this are my narration / Instructions
2. Text in bold black like this are commands
3. Text in blue must be in /sbin/maccheck
4. Text in bold blue is user specific. You have to change according to you actual data
5. Text in brown is the part of command should be combined with user data in bold blue

Instructions

1. First Copy these two files from appendix of this tutorial into your /sbin folder

# cp addmac maccheck /sbin

2. Change permissions of both files.

# chmod 744 /sbin/addmac /sbin/maccheck

3. How to Add / / Unblock / Find / Backup / Restore Mac Address.

# addmac allow 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.allow)

4. How to Block Mac Address

# addmac block 00:00:91:0D:5C:90 Farrukh Ahmed (it will block given mac address from /etc/mac.allow and insert in /etc/mac.deny)

5. How to Restore Mac Address

# addmac deny 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.deny)

6. How to find from allowed Mac Address

# addmac find allow 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.allow)

7. How to find from denied Mac Address

# addmac find deny 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.deny)

6. How to unblock Mac Address

# addmac unblock 00:00:91:0D:5C:90 (it will unblock given mac address from /etc/mac.deny and insert in /etc/mac.allow)

7. How to backup allowed Mac Address

# addmac backup allow (it will backup /etc/mac.allow to /etc/mac.allow.bak)

8. How to backup denied Mac Address

# addmac backup deny (it will backup /etc/mac.deny to /etc/mac.deny.bak)

9. How to restore allowed Mac Address

# addmac restore allow (it will restore /etc/mac.allow.bak to /etc/mac.allow)

10. How to restore denied Mac Address

# addmac restore deny (it will restore /etc/mac.deny.bak to /etc/mac.deny)

Note: when ever you Add/Remove/Block/Unblock MAC Address you must Run /sbin/maccheck

In the last of your /etc/rd.d/rc.local add following line

exec /sbin/maccheck

My mac.allow file look like

# cat /etc/mac.allow
00:C0:05:01:87:20 #Farrukh Ahmed
00:C0:05:02:0E:92 #Tariq Bahi
00:C0:05:02:00:68 #Sheraz
00:C0:05:01:87:20 #Badar
00:C0:09:10:87:D0 #Tauqeer

My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91 #Asif Khan
00:00:0C:8E:55:11 #Meraj Rasool Khattak

Appendix

Following are the two scripts mentioned in the Tutorial Above

Script No. 1

# touch /sbin/maccheck

This will create blank file in /sbin

# pico /sbin/maccheck

This will open blank file which you created before. Now copy and paste here the MAC Check Script and press Ctrl + X then it will ask you to save it or not press Y and save it /sbin/addmac

# chmod 744 /sbin/maccheck

This will change the permission of the /sbin/maccheck file

Content of /sbin/maccheck

#
# MAC Check Script
# This Script will add Allowed/Blocked and Blocked Users in Firewall
#
#!/bin/sh

echo -e "Loading MAC Address...."
/sbin/iptables -F INPUT

for MAC in `cat /etc/mac.allow`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat /etc/mac.deny`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

echo -e "MAC Address Loaded Successfully...."

Script No. 2


# touch /sbin/addmac

This will create blank file in /sbin

# pico /sbin/addmac

This will open blank file which you created before. Now copy and paste here the ADD MAC Script and press Ctrl + X then it will ask you to save it or not press Y and save it /sbin/addmac

# chmod 744 /sbin/addmac

This will change the permission of the /sbin/addmac file

Content of /sbin/addmac

#
#!/bin/sh
# ADD MAC Script
# This Script will add/remove, block/unblock users access in a LAN/DCN (Deci Cable Net)
# Script Created by Farrukh Ahmed (aka LinuxFreak) of Linux Pakistan dot Net
# For any help, comment please visit http://www.linuxpakistan.net/forum2x/
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

f() { MAC=$1 ; shift ; echo "$MAC #$*"; }

allow() {
args=$1
args1=$2
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args #$args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_ALLOW

if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
alias cp='cp -i'
}

block() {
args=$1
alias cp='cp'
echo $args >> $MAC_DENY
grep -v $args $MAC_ALLOW > ${MAC_ALLOW}.tmp
cp -f ${MAC_ALLOW}.tmp $MAC_ALLOW
rm -f ${MAC_ALLOW}.tmp
}

deny() {
args=$1
args1=$2
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
args=$1
args1=$2
if [ $1 = "allow" ]; then
if [ $2 ="all" ]; then
sort $MAC_ALLOW | uniq $MAC_ALLOW
else
cat $MAC_ALLOW | grep $args1
fi
else
if [ $2 = "all" ]; then
sort $MAC_DENY | uniq $MAC_DENY
else
cat $MAC_DENY | grep $args1
fi
fi
}

unblock() {
args=$1
alias cp='cp'
echo $args >> $MAC_ALLOW
grep -v $args $MAC_DENY > ${MAC_DENY}.tmp
cp -f ${MAC_DENY}.tmp $MAC_DENY
rm -f ${MAC_DENY}.tmp
}

restore() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

# See how we were called.
case "$1" in
allow)
allow $2 $3
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3
;;
find)
find $2 $3
;;
restore)
restore $2
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|find|restore|unblock} MAC Address"
exit 1
esac

Best Regards.

Dear nomy,
Salam,

nomy wrote:well written save it....but we can also done thing through SQUID PROXY.

Yes it can be done by squid proxy server but you need to restart your service every time. you can put the following code in your /etc/squid/squid.conf
# service squid restart

Best Regards.

Salam O Alykum
Hey, Farrukh Ahamd!!
Boss you have proved that u r the real guru for the ppl here in the linuxpakistan.net.
Thanx for telling us in such simple way
Inshalahl i wil try to do as you ahve told us in the this new post

Okay....Will see your way for needing more help from you about linux
again thanx a lot
Allah Hafiz and "Aap ko Allah Ajar Dai"

Dear All PLUCian's,
Salam,

#
# ADD MAC SCRIPT
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# This Script will add/remove, block/unblock users access in a LAN/DCN (Deci Cable Net)
# Script Created by Farrukh Ahmed (aka LinuxFreak) of LinuxPakistan dot Net
# For any help, comment please visit http://www.linuxpakistan.net/forum2x/
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

allow() {
if [ $# != 3 ]; then
echo -e "Usage : addmac allow <MAC Address> <Comments>";
exit 1
fi
args=$1
args1="$2 $3"
for MAC in $(cat ${MAC_ALLOW})
do
if [ $MAC = $args ]; then
echo "MAC Address : $MAC already exists";
exit 1
fi
done
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args # $args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args # $args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
if [ $# != 1 ]; then
echo "Usage: addmac backup <allow/deny>";
exit 1
fi
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
if [ $args="deny" ]; then
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
fi
alias cp='cp -i'
}

block() {
if [ $# != 1 ]; then
echo "Usage: addmac block <MAC Address>";
exit 1
fi
args=$1
while read line
do
if [ ${line//\#*} = ${args} ]; then
sed -i "/${args}/d" ${MAC_ALLOW} && echo ${line} >> ${MAC_DENY}
fi
done<${MAC_ALLOW}
}

deny() {
if [ $# != 3 ]; then
echo "Usage : addmac deny <MAC Address> <Comments>";
exit 1
fi
args=$1
args1="$2 $3"
for MAC in $(cat ${MAC_DENY})
do
if [ $MAC = $args ]; then
echo "MAC Address : $MAC already exists";
exit 1
fi
done
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args # $args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args # $args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
if [ $# != 2 ]; then
echo "Usage : addmac find <allow/deny> <MAC Address>";
exit 1
fi
args=$1
args1=$2
if [ $1 = "allow" ]; then
if [ $2 = "all" ]; then
sort $MAC_ALLOW | uniq $MAC_ALLOW
else
cat $MAC_ALLOW | grep $args1
fi
else
if [ $2 = "all" ]; then
sort $MAC_DENY | uniq $MAC_DENY
else
cat $MAC_DENY | grep $args1
fi
fi
}

restore() {
if [ $* != $1 ]; then
echo "Usage: addmac restore <allow/deny>";
exit 1
fi
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

searchmac() {
if [ $# != 1]; then
echo "Usage : addmac searchmac";
exit 1
fi
arp -n | awk '{if($1~/Address/){print "IP",$1,"\t",$3}else{print $1,"\t",$3}
}' | sed 's/HWa/MAC A/'
}

unblock() {
if [ $# != 1 ]; then
echo "Usage: addmac unblock <MAC Address>";
exit 1
fi
args=$1;
while read line
do
if [ ${line//\#*} = ${args} ]; then
sed -i "/${args}/d" ${MAC_DENY} && echo ${line} >> ${MAC_ALLOW}
fi
done<${MAC_DENY}
}

case "$1" in
allow)
allow $2 $3 $4
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3 $4
;;
find)
find $2 $3
;;
restore)
restore $2
;;
searchmac)
searchmac
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|find|restore|searchmac|unblock} MAC Address"
exit 1
esac

Best Regards.

Salam O Alykum
The scripts for athentication of macs are working well, but if we want to deny all MACs exept some, wat i have to do for that
For Examle if i want to allow these

00:08:C7:60:6A:D8
00:90:27:A8:32:5C
00:50:FC:89:58:9E
00:60:08:58:57:32
00:50:04:BD:0F:22
00:C0:4F:35:69:D1
00:50:04:AC:B5:47
00:60:97:e5:81:fe
00:c0:4f:48:c4:63
00:60:97:ba:87:85
00:30:1b:15:af:db
00:60:97:D1:43:28

Salam O Alykum

Dear startor,
Salam,

http://www.linuxpakistan.net/forum2x/vi ... 2276#11984

Best Regards.

Salam O Alykum
Farrukh Bhai, My Lan Ip is 192.168.0.1, So wat changes will need in the tat line below

# /sbin/iptables -I INPUT -p all -s 192.16.9.0.0/24 -j DROP

And i also use your script of blocking MACs, (addmac, and maccheck wali)
So will it help in that,
Farrukh bhai....I know i have distured you a lot, but...i compell to do so,
Salam O Alykum

Dear sarthor,
Salam,

Only Add this line in your maccheck script

/sbin/iptables -I INPUT -p all -s 192.16.9.0.0/24 -j DROP

Best Regards.

Salam O Alykum
Farrukh Bhai !!
You have not mention that where i have add that line, i have added it here, Below you can see it, but it didnot worked

#
# MAC Check Script
# This Script will add Allowed/Blocked and Blocked Users in Firewall
#
#!/bin/sh

echo -e "Loading MAC Address...."
/sbin/iptables -F INPUT
/sbin/iptables -I INPUT -p all -s 192.168.0.0/24 -j DROP
for MAC in `cat /etc/mac.allow`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat /etc/mac.deny`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

echo -e "MAC Address Loaded Successfully...."

Help me Friends

Dear sarthor,
Salam,

Yes, It looks okay

Best Regards.

LinuxFreaK wrote:Dear sarthor,
Salam,

Only Add this line in your maccheck script

/sbin/iptables -I INPUT -p all -s 192.168.9.0.0/24 -j DROP

Best Regards.

Salam O Alykum,

i have put the above line in the maccheck file, but it has stoped all the traffic, Somthing strange here now. So i have reinstalled Linux,
My Server Lan IP is 192.168.0.1, My clients ips are as
192.168.252
192.168.251
192.168.250
192.168.249
192.168.248

and i am running the firewall as belive

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
#iptables -t nat -A POSTROUTING -s 192.168.0.1 -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
#iptables -t nat -A PREROUTING -p icmp -j DROP







iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


iptables -t nat -A POSTROUTING -p tcp --dport 21 -o ppp0 -j MASQUERADE #FTP
iptables -t nat -A POSTROUTING -p tcp --dport 22 -o ppp0 -j MASQUERADE #ssh

iptables -t nat -A POSTROUTING -p tcp --dport 4800:65000 -o ppp0 -j MASQUERADE

the above fiel i used to run from rc.local, i have made its entry there
So plz help me..Coz i want to ban all the mac accepts some,
Thanx i will wait for the Reply