MAC to IP matching security in IP Tables

Protecting your Linux box
maiqbal
Lance Naik
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
Location: Karachi
Contact:

Post by maiqbal »

Dear Wazim,

My rc.local is as under:
#!/bin/bash
#
touch /var/lock/subsys/local
modprobe iptable_nat
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC
#
#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#
#
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
#
#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
#
#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 222.222.0.0/16 -j SNAT --to 203.170.76.121
/sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
#
#################
#-> SSH & Telnet Connection
#################
#
#/sbin/iptables -A MAC -i eth1 -p tcp --dport 22 -j ACCEPT
#/sbin/iptables -A MAC -i eth1 -p tcp --dport 23 -j ACCEPT
#
#######################
# Restrictions
#######################
#
/sbin/iptables -I FORWARD -d 64.245.58.0/23 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 6346 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 4661 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 4662 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 4661 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 1214 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 1214 -j DROP
/sbin/iptables -I FORWARD -d 213.248.112.0/24 -j DROP
/sbin/iptables -I FORWARD -d 206.142.53.0/24 -j DROP
/sbin/iptables -I FORWARD -d 209.25.178.0/24 -j DROP
/sbin/iptables -I FORWARD -d 64.124.41.0/24 -j DROP
/sbin/iptables -I FORWARD -d 209.61.186.0/24 -j DROP
/sbin/iptables -I FORWARD -d 64.49.201.0/24 -j DROP
/sbin/iptables -I FORWARD -d 216.35.208.0/24 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 9898 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5190:5193 -j DROP
/sbin/iptables -I FORWARD -d login.oscar.aol.com -j DROP
/sbin/iptables -I FORWARD -d login.icq.com -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5222:5223 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5000:5010 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 6681:6900 -j DROP
#
##############
#-> DNS Queries.
##############
#
/sbin/iptables -A MAC -s 222.222.0.0/16 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A MAC -s 222.222.0.0/16 -p udp --dport 53 -j ACCEPT
#
#
#####################
##---> Bind MAC with IP <---##
#####################
#
#
for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT
done
#
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
#
#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
#

#
#-------------------------
The thing is when I use the DROP with INPUT it runs without any error but doesnt allow me to access my linux box from allowed ip+mac:
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
Can you check my rc.local above and reflect?

Regards,
Muhammad Asif Iqbal
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear maiqbal,
Salam,

You should modify your script and use following switch when you are drop connections.

# /sbin/iptables -P INPUT -A DROP
# /sbin/iptables -P FORWARD DROP


You must read the difference b/w -I and -A

Best Regards.
Farrukh Ahmed
wazim4_u
Naik
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
Location: Saudi Arabia (Riyadh)
Contact:

Post by wazim4_u »

Dear Iqbal
Salam

Well the INPUT and FORWARD Polices must be set to DROP, I got a point why you are not getting access from allowed IPs and MACs of the clients. Add this line in your script after the bind MAC with IPs. I hope it will let you access.


/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if it works.

Wasim
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

Post by sarthor »

Salam O Alykum

Why its not working??
need patch-o-matic??

[root@Sarthor sarthor]# /sbin/iptables -A MAC -i eth0 -s 192.168.10.11 -p all -m mac --mac-source 00:00:11:14:12:00 -j ACCEPT
iptables: No chain/target/match by that name
what about this rule? will it bind Mac or not??
/sbin/iptables -I INPUT -i eth0 -s 192.168.10.11 -p all -m mac --mac-source 00:00:11:14:12:00 -j ACCEPT
I am On FC5 Builtin Iptables :arrow:
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
wazim4_u
Naik
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
Location: Saudi Arabia (Riyadh)
Contact:

Post by wazim4_u »

Dear sarthor,
Salam
If you would like to use this
/sbin/iptables -A MAC -i eth0 -s 192.168.10.11 -p all -m mac --mac-source 00:00:11:14:12:00 -j ACCEPT
then you need to creat a new chain named MAC

/sbin/iptables -N MAC

yes it should work also

/sbin/iptables -I INPUT -i eth0 -s 192.168.10.11 -p all -m mac --mac-source 00:00:11:14:12:00 -j ACCEPT
A_Karim
Lance Naik
Posts: 34
Joined: Thu Jul 22, 2004 4:18 pm
Location: Karachi
Contact:

Post by A_Karim »

Code: Select all

#!/bin/bash
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC

#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8088
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
#################
#-> SSH Connection
#################
#
/sbin/iptables -A MAC -i eth0 -p tcp --dport 22 -j ACCEPT
#

#
#####################
##---> Bind MAC with IP <---##
#####################
#

for allowuser in `cat /etc/allow.user`
do
mac=`echo $allowuser |cut -d"|" -f1`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -p all -m mac --mac-source $mac -j ACCEPT
/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
Assalam-o-Aliakum to All

Im using above code to restrict users using internet but the problem is on the same server httpd also running some www. I want all 10.0.0.0/8 users either whos MAC allows or not can access other services on Server only Internet facility will be allow to MAC allowed users only.

How can all 10.0.0.0/8 users access www which host at Proxy Server and able to ping this server.

Thanks in Advance

Regards,
AK
Eyes Never Says Lies
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear A_Karimm

Just add a rule in your INPUT chain which allows port 80 to every one.

# /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Best Regards.
Farrukh Ahmed
A_Karim
Lance Naik
Posts: 34
Joined: Thu Jul 22, 2004 4:18 pm
Location: Karachi
Contact:

Re:

Post by A_Karim »

LinuxFreaK wrote:Dear A_Karimm

Just add a rule in your INPUT chain which allows port 80 to every one.

# /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Best Regards.
Here is my firewall

Code: Select all

#!/bin/bash
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC

#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8088
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
#################
#-> SSH Connection
#################
#
/sbin/iptables -A MAC -i eth0 -p tcp --dport 22 -j ACCEPT
#
##############
#-> DNS Queries.
##############
#
/sbin/iptables -A MAC -s 192.168.0.50/24 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A MAC -s 192.168.0.50/24 -p udp --dport 53 -j ACCEPT


#
#####################
##---> Allowed Services <---##
#####################
#

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT


#
#####################
##---> Bind MAC with IP <---##
#####################
#

for allowuser in `cat /etc/allow.user`
do
mac=`echo $allowuser |cut -d"|" -f1`
echo Allowed $mac
/sbin/iptables -A MAC -i eth0 -p all -m mac --mac-source $mac -j ACCEPT
/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
I have added allowed services , ICMP rule works fine but port 80 does not work for non-MAC allowed users.

# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.0 0.0.0.0/0 tcp dpt:80
32 2958 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 300 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

0 0 MAC all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MAC all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 52 packets, 3162 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain MAC (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:53
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0

iptables shows it allowed but dont know why users unable to access http (www) service on this server. Any solution or hint please.


Regards,
AK
Eyes Never Says Lies
A_Karim
Lance Naik
Posts: 34
Joined: Thu Jul 22, 2004 4:18 pm
Location: Karachi
Contact:

Post by A_Karim »

Assalam-o-Aliakum to all

No solution ??? ??? ???

Regards,
AK
Eyes Never Says Lies
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear A_Karim,
Salam,

I prefer you to read netfilter documentation.

FYI, http://www.netfilter.org

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear A_Karim,
Salam,

I prefer you to read netfilter documentation.

FYI, http://www.netfilter.org

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear A_Karim,
Salam,

I prefer you to read netfilter documentation.

FYI, http://www.netfilter.org

Best Regards.
Farrukh Ahmed
Post Reply