Dear LinuxFreaK,
Sallam,
Yes this one script is working fine...thankx.. now tell me what is major difference BTW New maccheck script and old one which u post in year 2004 i think!!!!!!
MAC Address ALLOW/DROP Script
-
- Company Havaldaar Major
- Posts: 195
- Joined: Fri Feb 04, 2005 7:21 pm
- Location: Lahore, PK
- Contact:
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear asaddotcom,
Salam,
Blocking of all other request is not working and browsering issues.
Regards.
Salam,
Blocking of all other request is not working and browsering issues.
Regards.
Farrukh Ahmed
Hi Farrukh Bhai,
When I run maccheck it gives me the following error:
Also this script only allows mac address in mac.allow table, what one should do if he needs to verify IP to MAC check authentication?
Thanks in advace,
Regards,
Muhammad Asif Iqbal
When I run maccheck it gives me the following error:
while my mac.allow file is like this:[root@fire root]# maccheck
Loading MAC Address....
iptables v1.2.7a: Bad mac address `#AsifIqbal'
Try `iptables -h' or 'iptables --help' for more information.
MAC Address Loaded Successfully....
Any suggesstions?[root@fire root]# cat /etc/mac.allow
00-0D-61-26-B9-7B
00:16:76:09:41:67 #AsifIqbal
Also this script only allows mac address in mac.allow table, what one should do if he needs to verify IP to MAC check authentication?
Thanks in advace,
Regards,
Muhammad Asif Iqbal
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear maiqbal,
Salam,
Did you read whole thread ?
FYI, http://www.linuxpakistan.net/forum2x/vi ... t=15#20469
Best Regards.
Salam,
Did you read whole thread ?
FYI, http://www.linuxpakistan.net/forum2x/vi ... t=15#20469
Best Regards.
Farrukh Ahmed
-
- Lance Naik
- Posts: 43
- Joined: Sun Nov 26, 2006 6:04 pm
- Location: Dubai, UAE.
- Contact:
Farrukh Ahmed, I read your MAC script Good job.
Good job, but a Drawback
Farrukh Ahmed, I looked up at your MAC script, but! put a NAT box there....same MAC, as many users as they want can access Internet OR SOLUTION: Use kismet to discover all valid macs, and use whichever is not in use at the time.
Thanks
..
Regards,
Sherry.
Farrukh Ahmed, I looked up at your MAC script, but! put a NAT box there....same MAC, as many users as they want can access Internet OR SOLUTION: Use kismet to discover all valid macs, and use whichever is not in use at the time.
Thanks
..
Regards,
Sherry.
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear thecooldude,
Salam,
Thanks for appreciating my work. I have just written this script to achieve my goals at that time and goals may vary time by time
Best Regards.
Salam,
Thanks for appreciating my work. I have just written this script to achieve my goals at that time and goals may vary time by time
Best Regards.
Farrukh Ahmed
Mac Binding
Dear Admin,
i want to apply this mac binding ruls on my text base Centos server.easy to apply this ruls on my grapich mode server, but how can i apply this on my text mode server,that means how can i copy past on text mode,plz easy way. is its work on centos
thanks
i want to apply this mac binding ruls on my text base Centos server.easy to apply this ruls on my grapich mode server, but how can i apply this on my text mode server,that means how can i copy past on text mode,plz easy way. is its work on centos
thanks
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re: Mac Binding
Dear rmira,
Salam,
Best Regards.
Salam,
You should just copy and paste it in a file. make file executable and use itrmira wrote:i want to apply this mac binding ruls on my text base Centos server.easy to apply this ruls on my grapich mode server, but how can i apply this on my text mode server,that means how can i copy past on text mode,plz easy way. is its work on centos
Best Regards.
Farrukh Ahmed
AOA,
I tested ur script and added a few things here and there as per my requirements...
This is what I have done with ur maccheck script (apart of it is)
********************************************************
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem
#ALLOW USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
#DENY USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
********************************************************
The Same problem as I had posted way back.... If the user changes his/her ip and mac address to an allowed ip+mac, he/she would gain access to the system.... Now I read some where about this
sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source ! $MAC -j DROP
I tried this but no dice... anyone has any pointers to how a lynx box could check for the real mac addresses???? not the spoofed one??? or anything.. would be gr8ful....
I tested ur script and added a few things here and there as per my requirements...
This is what I have done with ur maccheck script (apart of it is)
********************************************************
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem
#ALLOW USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
#DENY USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
********************************************************
The Same problem as I had posted way back.... If the user changes his/her ip and mac address to an allowed ip+mac, he/she would gain access to the system.... Now I read some where about this
sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source ! $MAC -j DROP
I tried this but no dice... anyone has any pointers to how a lynx box could check for the real mac addresses???? not the spoofed one??? or anything.. would be gr8ful....
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!