MAC to IP matching security in IP Tables

Protecting your Linux box
maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

MAC to IP matching security in IP Tables

Postby maiqbal » Wed Aug 30, 2006 2:03 pm


wazim4_u
Naik
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
Location: Saudi Arabia (Riyadh)
Contact:

Postby wazim4_u » Wed Aug 30, 2006 3:07 pm

#!/bin/bash

#-- Flush and Delete Iptables
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -N MAC


#--Set INPUT & FORWARD Polices to DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP


#-- Bind IP with MAC Address
/sbin/iptables -A MAC -i eth0 -s 192.168.1.1 -p all -m mac --mac-source 00:14:BF:89:FF:45 -j ACCEPT



/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT

#-- Jump INPUT & FORWARD Polices to MAC
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
/sbin/iptables -A MAC -i eth0 -p all -j DROP


======================================
that works for me very well for about 100 Clients The IP is also Bind with MAC if the MAC is allowd but IP is not same It will not give the client Access to you MACHINE

azfar
Captain
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
Location: Karachi
Contact:

Postby azfar » Wed Aug 30, 2006 4:26 pm

any one know same thing for ipfilter
Azfar Hashmi
Email : azfarhashmi@hotmail.com

maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Wed Aug 30, 2006 4:35 pm

Thanks wazim, but I have found the following as well which is quite easy:

INSTRUCTIONS:


1. Create a file in /sbin folder named maccheck:

# touch /sbin/maccheck

# chmod 744 maccheck

# pico /sbin/maccheck


#
# MAC Check Script
# This Script Will Add Allowed and Blocked Users in Firewall
#
#!/bin/sh

echo -e "Loading MAC Address...."
/sbin/iptables -F INPUT
/sbin/iptables -I INPUT -p all -s 222.222.0.0/16 -j DROP
# Assuming that your Network ID is 222.222.0.0, if you are using #
## class C address than you may write 192.168.0.0/24 ###
for MAC in `cat /etc/mac.allow`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat /etc/mac.deny`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

echo -e "MAC Address Loaded Successfully...."



2. Create a file in /sbin folder named addmac:

# touch /sbin/addmac

# chmod 744 addmac

# pico /sbin/addmac



#
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# Script Created by Muhammad Asif Iqbal (ITIM Systems)
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

f() { MAC=$1 ; shift ; echo "$MAC #$*"; }

allow() {
args=$1
args1=$2
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args #$args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_ALLOW

if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
alias cp='cp -i'
}

block() {
args=$1
alias cp='cp'
echo $args >> $MAC_DENY
grep -v $args $MAC_ALLOW > ${MAC_ALLOW}.tmp
cp -f ${MAC_ALLOW}.tmp $MAC_ALLOW
rm -f ${MAC_ALLOW}.tmp
}

deny() {
args=$1
args1=$2
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
args=$1
args1=$2
if [ $1 = "allow" ]; then
cat $MAC_ALLOW | grep $args1
else
cat $MAC_DENY | grep $args1
fi
}

unblock() {
args=$1
alias cp='cp'
echo $args >> $MAC_ALLOW
grep -v $args $MAC_DENY > ${MAC_DENY}.tmp
cp -f ${MAC_DENY}.tmp $MAC_DENY
rm -f ${MAC_DENY}.tmp
}

restore() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

# See how we were called.
case "$1" in
allow)
allow $2 $3
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3
;;
find)
find $2 $3
;;
restore)
restore $2
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|restore|unblock} MAC Address"
exit 1
esac



3. How to Add / / Unblock / Find / Backup / Restore Mac Address.

# addmac allow 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.allow)

4. How to Block Mac Address

# addmac block 00:00:91:0D:5C:90 Farrukh Ahmed (it will block given mac address from /etc/mac.allow and insert in /etc/mac.deny)

5. How to Restore Mac Address

# addmac deny 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.deny)

6. How to find from allowed Mac Address

# addmac find allow 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.allow)

7. How to find from denied Mac Address

# addmac find deny 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.deny)

6. How to unblock Mac Address

# addmac unblock 00:00:91:0D:5C:90 (it will unblock given mac address from /etc/mac.deny and insert in /etc/mac.allow)

7. How to backup allowed Mac Address

# addmac backup allow (it will backup /etc/mac.allow to /etc/mac.allow.bak)

8. How to backup denied Mac Address

# addmac backup deny (it will backup /etc/mac.deny to /etc/mac.deny.bak)

9. How to restore allowed Mac Address

# addmac restore allow (it will restore /etc/mac.allow.bak to /etc/mac.allow)

10. How to restore denied Mac Address

# addmac restore deny (it will restore /etc/mac.deny.bak to /etc/mac.deny)

Note: when ever you Add/Remove/Block/Unblock MAC Address you must Run /sbin/maccheck

In the last of your /etc/rd.d/rc.local add following line

exec /sbin/maccheck

Your mac.allow file look like

# cat /etc/mac.allow
00:C0:05:01:87:20 #Farrukh Ahmed
00:C0:05:02:0E:92 #Tariq Bahi
00:C0:05:02:00:68 #Sheraz
00:C0:05:01:87:20 #Badar
00:C0:09:10:87:D0 #Tauqeer

My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91 #Asif Khan
00:00:0C:8E:55:11 #Meraj Rasool Khattak

azfar
Captain
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
Location: Karachi
Contact:

Postby azfar » Wed Aug 30, 2006 5:12 pm

Azfar Hashmi

Email : azfarhashmi@hotmail.com

maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 11:14 am


wazim4_u
Naik
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
Location: Saudi Arabia (Riyadh)
Contact:

Postby wazim4_u » Thu Aug 31, 2006 12:29 pm

#!/bin/bash
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC

#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to 213.184.171.34

#
#################
#-> SSH Connection
#################
#
/sbin/iptables -A MAC -i eth0 -p tcp --dport 22 -j ACCEPT

#
##############
#-> DNS Queries.
##############
#
/sbin/iptables -A MAC -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A MAC -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

#
#####################
##---> Bind MAC with IP <---##
#####################
#

for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT

#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP



#-------------------------
/etc/allow.user will be look like this

192.168.1.11|00:13:20:40:EB:10
192.168.1.12|00:54:AC:90:CA:00


yes maiqbal, i think you can use these rules with the script.even you can use MAC instead of FORWARD or INPUT like i did it works fine for me. give a try and let me know. its not only to control mac address but also the ip. if the given ip will be used with the given mac so it works otherwise it won't ( i am using this script for about 150+ clients )

maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 1:09 pm


maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 2:41 pm


maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 3:12 pm


LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Thu Aug 31, 2006 3:58 pm

Farrukh Ahmed

maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 4:17 pm

Yar Farrukh Bhai,

I am sorry I edited that by mistake. I will update that. But its not working dear. Can you help me regarding that.

Regards,

Muhammad Asif Iqbal

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Thu Aug 31, 2006 4:23 pm

Dear maiqbal,
Salam,

Ask here whats is not working and what is the issue.

http://www.linuxpakistan.net/forum2x/vi ... php?t=2182

Best Regards.
Farrukh Ahmed

maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Postby maiqbal » Thu Aug 31, 2006 5:04 pm


wazim4_u
Naik
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
Location: Saudi Arabia (Riyadh)
Contact:

Postby wazim4_u » Thu Aug 31, 2006 10:27 pm



Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest