MAC Address ALLOW/DROP Script

Discussion regarding the installation and configuration of Linux distributions.
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear Startor,
Salam,

Add this in your /etc/rc.local

# /sbin/iptables -I INPUT -p all -j DROP

But you also need to add your server mac address in /etc/mac.allow :)

Best Regards.
Farrukh Ahmed
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

NOt Worked

Post by sarthor »

Salam O alykum
Sir i have put that Line in the rc.local but it didnt stop the traffic

its my /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.


/sbin/iptables -I INPUT -p all -j DROP
/./pak
#/usr/local/squid/sbin/squid -D

touch /var/lock/subsys/local
exec /sbin/maccheck

#unlimit -HSn 8192 =rclocal
the file, "Pak" you can see in the previous post
i have posted this file fully
once i have put the line after the line /./pak
but not worked
okay...me waiting......
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

No one Replied

Post by sarthor »

Salam O Alykum
Sir no one have Replied for the previous post...
i am wait sir
thanx
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
zaeemarshad
Lieutenant Colonel
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Location: Islamabad
Contact:

Post by zaeemarshad »

dude its ./pak and not /./pak ... better yet give the full path. so if its in ur root directory then u should post it like that.

/root/pak

cheers
zaeem
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

its Working

Post by sarthor »

zaeemarshad wrote:dude its ./pak and not /./pak ... better yet give the full path. so if its in ur root directory then u should post it like that.

/root/pak

cheers
zaeem
Salam O Alykum
Sir this Command is working ..and my Mobilnk sms, yahoo voice chat. yahoo webcam , nettelephone are working with the help of this file.
Plz help me in the Mac Athentication
Salam O Alykum
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear sartor,
Salam,

you must take a look at this

http://www.linuxpakistan.net/forum2x/vi ... 2182#11576

It has defined what you need to do and how. Please use latest script.

Best Regards.
Farrukh Ahmed
asaddotcom
Company Havaldaar Major
Posts: 195
Joined: Fri Feb 04, 2005 7:21 pm
Location: Lahore, PK
Contact:

what ./pak script ?

Post by asaddotcom »

Please tell me what is ./pak script ?? my yahoo, voice chat, web cam, and mobilink web chat is not working same as sarthor problem... please sarthor if you got this message then please tell me A to Z procedure ... what to do with iptables...

these things are not working:
YAHOO CHAT,
YAHOO VOICE CHAT,
YAHOO CAM,
MSN VOICE CHAT,
MOBILINK WEB SMS,

Please Sarthor help me if you can...

Allah Hafiz
Thanking You...

ครค๔
www.apnicollection.com | www.wikisoft.pk
asaddotcom
Company Havaldaar Major
Posts: 195
Joined: Fri Feb 04, 2005 7:21 pm
Location: Lahore, PK
Contact:

Post by asaddotcom »

Farukh bhai Sallam!
thanks for your MAC Script... its realy very cool and working very good... but my one and last problem is left..... wo yeh kay yahoo per voice chat aur web cam open nahi ho raha... same as sarthor jessa problem hai... app bhe please aik baar mujhy complete procedure bta dainy kay mien kya keron ??.. aur iptables kay rules bna ker mujhy forum per send ker dain... mai apka bohat he shukar guzaar honga... MAC allow aur mac DENY script bilkul theek work ker raha hai... bass yehi aik last problem reh gaye hai ... ports wali... please please help me..

NETWORK DESIGN IS:
Getting internet from win-xp Lan ip is :192.168.1.1 which is come throu 192.168.1.2...
abh clintes ko internet idosray LAN card kay zariye mill raha hai throu this ip 192.168.2.1
I am using Squid proxy on Linux 9.0....
now u please make iptables rules and post me.... thank you

Allah Hafiz
Thanking You...

ครค๔
www.apnicollection.com | www.wikisoft.pk
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear asaddotcom,
Salam,

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=3368

Best Regards.
Farrukh Ahmed
asaddotcom
Company Havaldaar Major
Posts: 195
Joined: Fri Feb 04, 2005 7:21 pm
Location: Lahore, PK
Contact:

Post by asaddotcom »

Assalam_O_Alikum!

Farrukh bhai how are you and hows your father health now?
i hope he was good now...
well farukh bhai i got one problem... jabh mien kissi user ka MAC block kerta hon tu us user ke sirf browsing band hoti hai... Yahoo messenger aur Msn work kerta rehta hai.... yeh kya waja hai ? mien chahta hon kay jabh mien kissi user ka MAC block keron tu uski her aik cheez block ho jayee.. browsing, messengers etc.

I am using your MAC script.

please tell me about this problem.

Allah Hafiz
Thanking You...

ครค๔
www.apnicollection.com | www.wikisoft.pk
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

Check Again And Again

Post by sarthor »

Salam O Alykum

Dear AsadDotCom

Check this AGain and Again.

http://www.linuxpakistan.net/forum2x/vi ... php?t=3368

You will find the Solution. Coz this mac check sript block all the trafic for that mac. even your server stop pinging that NIC, Nor that Client can ping your server.

I m Also using that sript. its working fine. and if there is any difficulty in that maccheck script, that you are facing then get an ethernet 604 router. that wil solve your prob.

So there must be something wrong on your End.

Okay
thanx
and
Alwida
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Updated

Post by LinuxFreaK »

Legend

1. Text in black color like this are my narration / Instructions
2. Text in bold black like this are commands
3. Text in blue must be in /sbin/maccheck
4. Text in bold blue is user specific. You have to change according to you actual data
5. Text in brown is the part of command should be combined with user data in bold blue

Instructions

1. First Copy these two files from appendix of this tutorial into your /sbin folder

# cp addmac maccheck /sbin

2. Change permissions of both files.

# chmod 744 /sbin/addmac /sbin/maccheck

3. How to Add / / Unblock / Find / Backup / Restore Mac Address.

# addmac allow 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.allow)

4. How to Block Mac Address

# addmac block 00:00:91:0D:5C:90 Farrukh Ahmed (it will block given mac address from /etc/mac.allow and insert in /etc/mac.deny)

5. How to Restore Mac Address

# addmac deny 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.deny)

6. How to find from allowed Mac Address

# addmac find allow 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.allow)

7. How to find from denied Mac Address

# addmac find deny 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.deny)

6. How to unblock Mac Address

# addmac unblock 00:00:91:0D:5C:90 (it will unblock given mac address from /etc/mac.deny and insert in /etc/mac.allow)

7. How to backup allowed Mac Address

# addmac backup allow (it will backup /etc/mac.allow to /etc/mac.allow.bak)

8. How to backup denied Mac Address

# addmac backup deny (it will backup /etc/mac.deny to /etc/mac.deny.bak)

9. How to restore allowed Mac Address

# addmac restore allow (it will restore /etc/mac.allow.bak to /etc/mac.allow)

10. How to restore denied Mac Address

# addmac restore deny (it will restore /etc/mac.deny.bak to /etc/mac.deny)

Note: when ever you Add/Remove/Block/Unblock MAC Address you must Run /sbin/maccheck

In the last of your /etc/rd.d/rc.local add following line

exec /sbin/maccheck

My mac.allow file look like

# cat /etc/mac.allow

00:C0:05:01:87:20 #Farrukh Ahmed
00:C0:05:02:0E:92 #Tariq Bahi
00:C0:05:02:00:68 #Sheraz
00:C0:05:01:87:20 #Badar
00:C0:09:10:87:D0 #Tauqeer


My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91 #Asif Khan
00:00:0C:8E:55:11 #Meraj Rasool Khattak


Appendix

Following are the two scripts mentioned in the Tutorial Above

Script No. 1

# touch /sbin/maccheck

This will create blank file in /sbin

# pico /sbin/maccheck

This will open blank file which you created before. Now copy and paste here the MAC Check Script and press Ctrl + X then it will ask you to save it or not press Y and save it /sbin/addmac

# chmod 744 /sbin/maccheck

This will change the permission of the /sbin/maccheck file

Content of /sbin/maccheck

#
# MAC Check Script
# This Script will add Allowed/Blocked and Blocked Users in Firewall
#
#!/bin/sh

set -x

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"
TMP_ALLOW="/tmp/mac.allow"
TMP_DENY="/tmp/mac.deny"

cat $MAC_ALLOW | awk '{ print $1}' > $TMP_ALLOW
cat $MAC_DENY | awk '{ print $1}' > $TMP_DENY

echo -e "Loading MAC Address...."
/sbin/iptables -F INPUT
/sbin/iptables -I INPUT -p all -j DROP

for MAC in `cat $TMP_ALLOW`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat $TMP_DENY`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

rm -f $TMP_ALLOW
rm -f $TMP_DENY

echo -e "MAC Address Loaded Successfully...."


Script No. 2


# touch /sbin/addmac

This will create blank file in /sbin

# pico /sbin/addmac

This will open blank file which you created before. Now copy and paste here the ADD MAC Script and press Ctrl + X then it will ask you to save it or not press Y and save it /sbin/addmac

# chmod 744 /sbin/addmac

This will change the permission of the /sbin/addmac file

Content of /sbin/addmac

#
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# Script Created by Farrukh Ahmed of Linux Pakistan dot Net
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

allow() {
if [ $# != 3 ]; then
echo -e "Usage : addmac allow <MAC Address> <Comments>";
exit 1
fi
args=$1
args1="$2 $3"
for MAC in $(cat ${MAC_ALLOW})
do
if [ $MAC = $args ]; then
echo "MAC Address : $MAC already exists";
exit 1
fi
done
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args # $args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args # $args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
if [ $# != 1 ]; then
echo "Usage: addmac backup <allow/deny>";
exit 1
fi
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
if [ $args="deny" ]; then
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
fi
alias cp='cp -i'
}

block() {
if [ $# != 1 ]; then
echo "Usage: addmac block <MAC Address>";
exit 1
fi
args=$1
while read line
do
if [ ${line//\#*} = ${args} ]; then
sed -i "/${args}/d" ${MAC_ALLOW} && echo ${line} >> ${MAC_DENY}
fi
done<${MAC_ALLOW}
}

deny() {
if [ $# != 3 ]; then
echo "Usage : addmac deny <MAC Address> <Comments>";
exit 1
fi
args=$1
args1="$2 $3"
for MAC in $(cat ${MAC_DENY})
do
if [ $MAC = $args ]; then
echo "MAC Address : $MAC already exists";
exit 1
fi
done
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args # $args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args # $args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
if [ $# != 2 ]; then
echo "Usage : addmac find <allow/deny> <MAC Address>";
exit 1
fi
args=$1
args1=$2
if [ $1 = "allow" ]; then
if [ $2 = "all" ]; then
sort $MAC_ALLOW | uniq $MAC_ALLOW
else
cat $MAC_ALLOW | grep $args1
fi
else
if [ $2 = "all" ]; then
sort $MAC_DENY | uniq $MAC_DENY
else
cat $MAC_DENY | grep $args1
fi
fi
}

restore() {
if [ $* != $1 ]; then
echo "Usage: addmac restore <allow/deny>";
exit 1
fi
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

searchmac() {
if [ $# != 1]; then
echo "Usage : addmac searchmac";
exit 1
fi
arp -n | awk '{if($1~/Address/){print "IP",$1,"\t",$3}else{print $1,"\t",$3}
}' | sed 's/HWa/MAC A/'
}

unblock() {
if [ $# != 1 ]; then
echo "Usage: addmac unblock <MAC Address>";
exit 1
fi
args=$1;
while read line
do
if [ ${line//\#*} = ${args} ]; then
sed -i "/${args}/d" ${MAC_DENY} && echo ${line} >> ${MAC_ALLOW}
fi
done<${MAC_DENY}
}

case "$1" in
allow)
allow $2 $3 $4
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3 $4
;;
find)
find $2 $3
;;
restore)
restore $2
;;
searchmac)
searchmac
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|find|restore|searchmac|unblock} MAC Address"
exit 1
esac


Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear Users,
Salam,

Please use latest version of checkmac script.

#
# MAC Check Script
# This Script will add Allowed/Blocked and Blocked Users in Firewall
#
#!/bin/sh

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"
TMP_ALLOW="/tmp/mac.allow"
TMP_DENY="/tmp/mac.deny"

cat $MAC_ALLOW | awk '{ print $1}' > $TMP_ALLOW
cat $MAC_DENY | awk '{ print $1}' > $TMP_DENY

echo -e "Loading MAC Address...."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t fitler -F
iptables -t fitler -X

for MAC in `cat $TMP_ALLOW`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat $TMP_DENY`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

/sbin/iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p all -j DROP

rm -f $TMP_ALLOW
rm -f $TMP_DENY

echo -e "MAC Address Loaded Successfully...."


Best Regards.
Farrukh Ahmed
asaddotcom
Company Havaldaar Major
Posts: 195
Joined: Fri Feb 04, 2005 7:21 pm
Location: Lahore, PK
Contact:

Post by asaddotcom »

Dear LinuxFreaK,
Sallam,

I got this message after using your latest script.
[root@dricola root]# /sbin/maccheck
Loading MAC Address....
iptables v1.3.5: can't initialize iptables table `fitler': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.3.5: can't initialize iptables table `fitler': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
MAC Address Loaded Successfully....
Also my browsing stoped in clint side after using this ...
tell me what to do ?
Thanking You...

ครค๔
www.apnicollection.com | www.wikisoft.pk
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear asaddotcom,
Salam,

#
# MAC Check Script
# This Script will add Allowed/Blocked and Blocked Users in Firewall
#
#!/bin/sh

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"
TMP_ALLOW="/tmp/mac.allow"
TMP_DENY="/tmp/mac.deny"

cat $MAC_ALLOW | awk '{ print $1}' > $TMP_ALLOW
cat $MAC_DENY | awk '{ print $1}' > $TMP_DENY

echo -e "Loading MAC Address...."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

for MAC in `cat $TMP_ALLOW`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat $TMP_DENY`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A POSTROUTING -i eth0 -j MASQUERADE


/sbin/iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p all -j DROP

rm -f $TMP_ALLOW
rm -f $TMP_DENY

echo -e "MAC Address Loaded Successfully...."


Note: you can modify bold rules according to your need.

Best Regards.
Farrukh Ahmed
Post Reply