MAC to IP matching security in IP Tables

Protecting your Linux box

MAC to IP matching security in IP Tables

Postby maiqbal » Wed Aug 30, 2006 2:03 pm

Hi,

I am a newbie in linux so can anyone help me in the following situation:

I have 50 users on my LAN; I want 20 of them to access my linux machine and none of the others. Given 20 ips and 20 mac addresses from my network administrator.

I want to drop any connection to my linux machine on Eth0 (i.e. my LAN interface) if an ip is not mached with its appropriate mac address; I also want to drop all other ips as well as mac addresses beside the given 20

Can anyone help me in this regard?

Regards,

Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby wazim4_u » Wed Aug 30, 2006 3:07 pm

#!/bin/bash

#-- Flush and Delete Iptables
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -N MAC


#--Set INPUT & FORWARD Polices to DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP


#-- Bind IP with MAC Address
/sbin/iptables -A MAC -i eth0 -s 192.168.1.1 -p all -m mac --mac-source 00:14:BF:89:FF:45 -j ACCEPT



/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT

#-- Jump INPUT & FORWARD Polices to MAC
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
/sbin/iptables -A MAC -i eth0 -p all -j DROP


======================================
that works for me very well for about 100 Clients The IP is also Bind with MAC if the MAC is allowd but IP is not same It will not give the client Access to you MACHINE
wazim4_u
Naik
 
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
WLM: wasim4all@hotmail.com
Yahoo Messenger: waseem_yn@yahoo.com
Location: Saudi Arabia (Riyadh)

Postby azfar » Wed Aug 30, 2006 4:26 pm

any one know same thing for ipfilter
Azfar Hashmi
Email : azfarhashmi@hotmail.com
azfar
Captain
 
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
WLM: azfarhashmi@hotmail.com
Yahoo Messenger: azfarhusain@yahoo.com
Location: Karachi

Postby maiqbal » Wed Aug 30, 2006 4:35 pm

Thanks wazim, but I have found the following as well which is quite easy:

INSTRUCTIONS:


1. Create a file in /sbin folder named maccheck:

# touch /sbin/maccheck

# chmod 744 maccheck

# pico /sbin/maccheck


#
# MAC Check Script
# This Script Will Add Allowed and Blocked Users in Firewall
#
#!/bin/sh

echo -e "Loading MAC Address...."
/sbin/iptables -F INPUT
/sbin/iptables -I INPUT -p all -s 222.222.0.0/16 -j DROP
# Assuming that your Network ID is 222.222.0.0, if you are using #
## class C address than you may write 192.168.0.0/24 ###
for MAC in `cat /etc/mac.allow`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j ACCEPT
done

for MAC in `cat /etc/mac.deny`
do
/sbin/iptables -I INPUT -p all -m mac --mac-source $MAC -j DROP
done

echo -e "MAC Address Loaded Successfully...."



2. Create a file in /sbin folder named addmac:

# touch /sbin/addmac

# chmod 744 addmac

# pico /sbin/addmac



#
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# Script Created by Muhammad Asif Iqbal (ITIM Systems)
#

MAC_ALLOW="/etc/mac.allow"
MAC_DENY="/etc/mac.deny"

f() { MAC=$1 ; shift ; echo "$MAC #$*"; }

allow() {
args=$1
args1=$2
if [ ! -f $MAC_ALLOW ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_ALLOW
chmod 644 $MAC_ALLOW
echo "$args #$args1" >> $MAC_ALLOW
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_ALLOW

if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

backup() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f $MAC_ALLOW ${MAC_ALLOW}.bak
else
cp -f $MAC_DENY ${MAC_DENY}.bak
fi
alias cp='cp -i'
}

block() {
args=$1
alias cp='cp'
echo $args >> $MAC_DENY
grep -v $args $MAC_ALLOW > ${MAC_ALLOW}.tmp
cp -f ${MAC_ALLOW}.tmp $MAC_ALLOW
rm -f ${MAC_ALLOW}.tmp
}

deny() {
args=$1
args1=$2
if [ ! -f $MAC_DENY ]; then
echo -e "File Not Found..."
echo -e "Creating File..."
touch $MAC_DENY
chmod 644 $MAC_DENY
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
else
echo "$args #$args1" >> $MAC_DENY
if [ $? = 0 ]; then
echo "MAC Added Successfully";
else
echo "Failed to Add MAC Address";
fi
fi
}

find() {
args=$1
args1=$2
if [ $1 = "allow" ]; then
cat $MAC_ALLOW | grep $args1
else
cat $MAC_DENY | grep $args1
fi
}

unblock() {
args=$1
alias cp='cp'
echo $args >> $MAC_ALLOW
grep -v $args $MAC_DENY > ${MAC_DENY}.tmp
cp -f ${MAC_DENY}.tmp $MAC_DENY
rm -f ${MAC_DENY}.tmp
}

restore() {
args=$1
alias cp='cp'
if [ $args="allow" ]; then
cp -f ${MAC_ALLOW}.bak $MAC_ALLOW
else
cp -f ${MAC_DENY}.bak $MAC_DENY
fi
alias cp='cp -i'
}

# See how we were called.
case "$1" in
allow)
allow $2 $3
;;
backup)
backup $2
;;
block)
block $2
;;
deny)
deny $2 $3
;;
find)
find $2 $3
;;
restore)
restore $2
;;
unblock)
unblock $2
;;
*)
echo "Usage: addmac {allow|backup|block|deny|restore|unblock} MAC Address"
exit 1
esac



3. How to Add / / Unblock / Find / Backup / Restore Mac Address.

# addmac allow 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.allow)

4. How to Block Mac Address

# addmac block 00:00:91:0D:5C:90 Farrukh Ahmed (it will block given mac address from /etc/mac.allow and insert in /etc/mac.deny)

5. How to Restore Mac Address

# addmac deny 00:00:91:0D:5C:90 Farrukh Ahmed (it will add given mac address, and comments 'Farrukh Ahmed' in /etc/mac.deny)

6. How to find from allowed Mac Address

# addmac find allow 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.allow)

7. How to find from denied Mac Address

# addmac find deny 00:00:91:0D:5C:90 (it will find given mac address in /etc/mac.deny)

6. How to unblock Mac Address

# addmac unblock 00:00:91:0D:5C:90 (it will unblock given mac address from /etc/mac.deny and insert in /etc/mac.allow)

7. How to backup allowed Mac Address

# addmac backup allow (it will backup /etc/mac.allow to /etc/mac.allow.bak)

8. How to backup denied Mac Address

# addmac backup deny (it will backup /etc/mac.deny to /etc/mac.deny.bak)

9. How to restore allowed Mac Address

# addmac restore allow (it will restore /etc/mac.allow.bak to /etc/mac.allow)

10. How to restore denied Mac Address

# addmac restore deny (it will restore /etc/mac.deny.bak to /etc/mac.deny)

Note: when ever you Add/Remove/Block/Unblock MAC Address you must Run /sbin/maccheck

In the last of your /etc/rd.d/rc.local add following line

exec /sbin/maccheck

Your mac.allow file look like

# cat /etc/mac.allow
00:C0:05:01:87:20 #Farrukh Ahmed
00:C0:05:02:0E:92 #Tariq Bahi
00:C0:05:02:00:68 #Sheraz
00:C0:05:01:87:20 #Badar
00:C0:09:10:87:D0 #Tauqeer

My mac.deny file

# cat /etc/mac.deny
00:C0:05:02:0E:91 #Asif Khan
00:00:0C:8E:55:11 #Meraj Rasool Khattak
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby azfar » Wed Aug 30, 2006 5:12 pm

isnt it only MAC based.
Azfar Hashmi

Email : azfarhashmi@hotmail.com
azfar
Captain
 
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
WLM: azfarhashmi@hotmail.com
Yahoo Messenger: azfarhusain@yahoo.com
Location: Karachi

Postby maiqbal » Thu Aug 31, 2006 11:14 am

Code: Select all

#!/bin/bash

#-- Flush and Delete Iptables
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -N MAC

#--Set INPUT & FORWARD Polices to DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

#-- Bind IP with MAC Address
/sbin/iptables -A MAC -i eth0 -s 192.168.1.1 -p all -m mac --mac-source 00:14:BF:89:FF:45 -j ACCEPT



/sbin/iptables -A MAC -m state --state ESTABLISHED,RELATED -j ACCEPT

#-- Jump INPUT & FORWARD Polices to MAC
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
/sbin/iptables -A MAC -i eth0 -p all -j DROP


Hi Wazim,

Can I use the following rules in IP table with your recipe:

modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -d 64.245.58.0/23 -j DROP
iptables -I FORWARD -p TCP --dport 6346 -j DROP
iptables -I FORWARD -p TCP --dport 4661 -j DROP
iptables -I FORWARD -p TCP --dport 4662 -j DROP
iptables -I FORWARD -p UDP --dport 4661 -j DROP
iptables -I FORWARD -p TCP --dport 1214 -j DROP
iptables -I FORWARD -p UDP --dport 1214 -j DROP
iptables -I FORWARD -d 213.248.112.0/24 -j DROP
iptables -I FORWARD -d 206.142.53.0/24 -j DROP
iptables -I FORWARD -d 209.25.178.0/24 -j DROP
iptables -I FORWARD -d 64.124.41.0/24 -j DROP
iptables -I FORWARD -d 209.61.186.0/24 -j DROP
iptables -I FORWARD -d 64.49.201.0/24 -j DROP
iptables -I FORWARD -d 216.35.208.0/24 -j DROP
iptables -I FORWARD -p UDP --dport 9898 -j DROP
iptables -I FORWARD -p UDP --dport 5190:5193 -j DROP
iptables -I FORWARD -d login.oscar.aol.com -j DROP
iptables -I FORWARD -d login.icq.com -j DROP
iptables -I FORWARD -p UDP --dport 5222:5223 -j DROP
iptables -I FORWARD -p UDP --dport 5000:5010 -j DROP
iptables -I FORWARD -p TCP --dport 6681:6900 -j DROP
iptables -I FORWARD -d cs.yahoo.com -j DROP
iptables -I FORWARD -d scsa.yahoo.com -j DROP
iptables -I FORWARD -p TCP --dport 1863 -j DROP

Thanks in advance,

Regards,
Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby wazim4_u » Thu Aug 31, 2006 12:29 pm

#!/bin/bash
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC

#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to 213.184.171.34

#
#################
#-> SSH Connection
#################
#
/sbin/iptables -A MAC -i eth0 -p tcp --dport 22 -j ACCEPT

#
##############
#-> DNS Queries.
##############
#
/sbin/iptables -A MAC -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A MAC -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

#
#####################
##---> Bind MAC with IP <---##
#####################
#

for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT

#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP



#-------------------------
/etc/allow.user will be look like this

192.168.1.11|00:13:20:40:EB:10
192.168.1.12|00:54:AC:90:CA:00


yes maiqbal, i think you can use these rules with the script.even you can use MAC instead of FORWARD or INPUT like i did it works fine for me. give a try and let me know. its not only to control mac address but also the ip. if the given ip will be used with the given mac so it works otherwise it won't ( i am using this script for about 150+ clients )
wazim4_u
Naik
 
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
WLM: wasim4all@hotmail.com
Yahoo Messenger: waseem_yn@yahoo.com
Location: Saudi Arabia (Riyadh)

Postby maiqbal » Thu Aug 31, 2006 1:09 pm

Thanks wazim,

for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT

/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

/sbin/iptables -A MAC -i eth0 -p all -j DROP




does the above quote work as it is if I place it in rc.local alongwith iptables
or I just need the following to place in my rc.local file:

cat /etc/allow.user
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT

/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC

/sbin/iptables -A MAC -i eth0 -p all -j DROP

I know its quite annoying but consider me as a newbie.

Regards,
Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby maiqbal » Thu Aug 31, 2006 2:41 pm

Hi again,

I have tried your way Wazim but got the following error again and again:

Syntex error: unexpected end of file

Even I trried to run the following in .sh file but the results are same:

#!/bin/bash
#
touch /var/lock/subsys/local
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC
#
#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#
#
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
#
#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 222.222.0.0/16 -j SNAT --to 203.170.76.121
#
#
#####################
##---> Bind MAC with IP <---##
#####################
#
#
for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT
#
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
#
#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
#
#


Where 222.222.0.0/16 is the network ID and 203.170.76.121 is the public IP on linux machine.

Can you please have a look and suggest me what to do?

Regards,

Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby maiqbal » Thu Aug 31, 2006 3:12 pm

Here is another try adding "done" in your syntex Wazim:

#
#
for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT
done
#
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
#/sbin/iptables -A INPUT -p all -j MAC
#/sbin/iptables -A FORWARD -p all -j MAC
#
#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
#


And here are the results:

[root@fire asif]# ./test.sh
Allowed 222.222.0.108 00-0D-61-26-B9-7B
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables v1.2.7a: Couldn't load target `MAC':/lib/iptables/libipt_MAC.so: cannot open shared object file: No such file o
r directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.7a: Couldn't load target `MAC':/lib/iptables/libipt_MAC.so: cannot open shared object file: No such file o
r directory

It allows me from 222.222.0.108 ip but didnt block anything else.

My linux distribution is Red Hat Linux 9.0
Kernel 2.4.20-8
iptables 1.2.7a-2

Dont know what wrong with it?

Regards,
Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Re:

Postby LinuxFreaK » Thu Aug 31, 2006 3:58 pm

Dear maiqbal,
Salam,

maiqbal wrote:#
#!/bin/sh
#
# Use this script to block your Clients by their MAC Address.
# Script Created by Muhammad Asif Iqbal (ITIM Systems)
#


Thats wrong it was written by me :(

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=2182

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby maiqbal » Thu Aug 31, 2006 4:17 pm

Yar Farrukh Bhai,

I am sorry I edited that by mistake. I will update that. But its not working dear. Can you help me regarding that.

Regards,

Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Re:

Postby LinuxFreaK » Thu Aug 31, 2006 4:23 pm

Dear maiqbal,
Salam,

Ask here whats is not working and what is the issue.

http://www.linuxpakistan.net/forum2x/vi ... php?t=2182

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby maiqbal » Thu Aug 31, 2006 5:04 pm

Dear Wazim,

Now I have done with it with a few changes; and here's my /etc/rc.local file:
#!/bin/bash
#
touch /var/lock/subsys/local
modprobe iptable_nat
#
####################################################
#-> Flush all the rules in the filter and nat tables.
####################################################
#
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -N MAC
/sbin/iptables -F MAC
#
#
#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#
#
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
#
#
#####################
#-> Accept Loopback #
#####################
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
#
#
###############################################################
#-> Enable IP Forwarding and Network Address Translation.
###############################################################
#
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 222.222.0.0/16 -j SNAT --to 203.170.76.121
/sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
#
#################
#-> SSH & Telnet Connection
#################
#
#/sbin/iptables -A MAC -i eth1 -p tcp --dport 22 -j ACCEPT
#/sbin/iptables -A MAC -i eth1 -p tcp --dport 23 -j ACCEPT
#
#######################
# Restrictions
#######################
#
/sbin/iptables -I FORWARD -d 64.245.58.0/23 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 6346 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 4661 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 4662 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 4661 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 1214 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 1214 -j DROP
/sbin/iptables -I FORWARD -d 213.248.112.0/24 -j DROP
/sbin/iptables -I FORWARD -d 206.142.53.0/24 -j DROP
/sbin/iptables -I FORWARD -d 209.25.178.0/24 -j DROP
/sbin/iptables -I FORWARD -d 64.124.41.0/24 -j DROP
/sbin/iptables -I FORWARD -d 209.61.186.0/24 -j DROP
/sbin/iptables -I FORWARD -d 64.49.201.0/24 -j DROP
/sbin/iptables -I FORWARD -d 216.35.208.0/24 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 9898 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5190:5193 -j DROP
/sbin/iptables -I FORWARD -d login.oscar.aol.com -j DROP
/sbin/iptables -I FORWARD -d login.icq.com -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5222:5223 -j DROP
/sbin/iptables -I FORWARD -p UDP --dport 5000:5010 -j DROP
/sbin/iptables -I FORWARD -p TCP --dport 6681:6900 -j DROP
#
##############
#-> DNS Queries.
##############
#
/sbin/iptables -A MAC -s 222.222.0.0/16 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A MAC -s 222.222.0.0/16 -p udp --dport 53 -j ACCEPT
#
#
#####################
##---> Bind MAC with IP <---##
#####################
#
#
for allowuser in `cat /etc/allow.user`
do
ip=`echo $allowuser |cut -d"|" -f1`
mac=`echo $allowuser |cut -d"|" -f2`
echo Allowed $ip $mac
/sbin/iptables -A MAC -i eth0 -s $ip -p all -m mac --mac-source $mac -j ACCEPT
done
#
#
#######################################
#-> Jump INPUT & FORWARD rules to MAC.
#######################################
#
/sbin/iptables -A INPUT -p all -j MAC
/sbin/iptables -A FORWARD -p all -j MAC
#
#
##########################
#-> DROP everything else.
##########################
#
/sbin/iptables -A MAC -i eth0 -p all -j DROP
#

#
#-------------------------


Changes: (* for changes and previous statement)

#####################################
#-> INPUT, FORWARD and OUTPUT chains.
#####################################
#
#
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
#------------------------------
/sbin/iptables -P INPUT ACCEPT *(DROP)
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT



Please reflect.

Regards,
Muhammad Asif Iqbal
maiqbal
Lance Naik
 
Posts: 19
Joined: Fri Sep 03, 2004 11:04 am
WLM: maiqbal24@hotmail.com
Yahoo Messenger: masifiqbal1@yahoo.com
Location: Karachi

Postby wazim4_u » Thu Aug 31, 2006 10:27 pm

Dear Asif,

Check twice the script i sent, change it according to your needs i have given you the running script for my network. If you made it possible let me know. INPUT and FORWARD must be set to DROP as i sent in the script

If you got any error copy it and paste here


Thanks,
Wasim
wazim4_u
Naik
 
Posts: 68
Joined: Mon Jun 13, 2005 10:38 pm
WLM: wasim4all@hotmail.com
Yahoo Messenger: waseem_yn@yahoo.com
Location: Saudi Arabia (Riyadh)


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron