MAC Address Filtering

Protecting your Linux box
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

MAC Address Filtering

Post by mudasir »

Salam,

Again i am a bit confused about MAC Address Filtering. I came across a DOC that described a very good method for MAC Address Filtering
cat /firewall/macs/allowed.macs | while read allowedmacs
do
$IPTABLES -A INPUT -p ALL -m mac --mac-source $allowedmacs -j ACCEPT
$IPTABLES -A INPUT -p ALL -m mac --mac-source ! $allowedmacs -j DROP
done
I just want to know that will it be able to help me out...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

And one more thing.
I just want to know what does the following lines do....
iptables -t mangle -F maccheck
iptables -t mangle -X maccheck
iptables -t mangle -N maccheck
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
iptables -t mangle -A maccheck -j MARK --set-mark 1
iptables -t mangle -A maccheck -j RETURN
iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81
I found them i a firewall script but dont know the function of these lines.

looking forward for your help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear mudasir,
Salam,

Read Documentation then you will have better understanding.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Salam

I have done some work to make my own script of MAC Address Filtering, but getting error of BAD MAC ADDRESS. My MAC Address Filtering Scirpt is below
#!/bin/bash
##################################
### Flusing All IPTABLES Rules ###
##################################

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

########################################
### Setting Default Policies To DROP ###
########################################

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#####################################
### MAC Address Filtering Process ###
#####################################

cat /Firewall/macs/allowed.macs | while read allowedmac
do
iptables -A INPUT -i eth2 -p ALL -m mac --mac-source $allowedmac -j ACCEPT
iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source $allowedmac -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $allowedmac --dport 5100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $allowedmac --dport 5100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $allowedmac --dport 5000:5010 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $allowedmac --dport 5000:5010 -j ACCEPT
done

##############################
### Enabling IP Forwarding ###
##############################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################################
### Rules To Redirect Web Traffic To Squid ###
##############################################

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 8080

#############################################
### Droping All Traffic For Voice And Cam ###
#############################################

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 5100 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p udp --dport 5100 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 5000:5010 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p udp --dport 5000:5010 -j DROP

#########################################
### Accepting Established Connections ###
#########################################

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#############################
### Allow PING Requests ###
#############################

iptables -A FORWARD -s 10.10.10.0/23 -p ICMP -d ! 10.10.10.0/23 -j ACCEPT
iptables -A INPUT -i eth2 -p icmp -j ACCEPT

###############################################################################
### Drop Requests Coming From Internet Claiming To Be From Internal Network ###
###############################################################################

#iptables -A INPUT -i eth1 -s 10.10.10.0/23 -j DROP

iptables -t nat -A PREROUTING -i ! eth2 -s 10.10.10.0/23 -j DROP
Now when i run this script, it gives error
'ptables v1.2.11: Bad mac address `00:B0:D0:85:0A:42
All the MAC Address and not recognised as BAD MAC Addresses, only Few of the MAC Addresses are recognised as BAD Mac Addresses.
And these MAC Addresses are not loaded in the Firewall.

Just want to know why thses MAC Addresses are BAD MAC Addresses.

looking forward for help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear mudasir,
Salam,

It should work. Try adding below code on the top of your script for debugging.

Code: Select all

set -x
Best Regards.
Farrukh Ahmed
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Salam,

I have tried it... I am getting following OUTPUT.
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source $'00:10:4B:2C:B3:BF\r' -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5100 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5100 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5000:5010 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5000:5010 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source 00:30:4F:04:BE:C9 -j ACCEPT
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source 00:30:4F:04:BE:C9 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5000:5010 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5000:5010 -j ACCEPT
Still dont know why i am getting errors, according to me the file should work. MAC Addresses are written 1 MAC in 1 Line.

Looking Forword For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

Code: Select all

tr -d \\015 < /Firewall/macs/allowed.macs > /tmp/am
mv /tmp/am /Firewall/macs/allowed.macs
compucated
Naik
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan
Contact:

Post by compucated »

mudasir wrote: Now when i run this script, it gives error
'ptables v1.2.11: Bad mac address `00:B0:D0:85:0A:42
All the MAC Address and not recognised as BAD MAC Addresses, only Few of the MAC Addresses are recognised as BAD Mac Addresses.
And these MAC Addresses are not loaded in the Firewall.

Just want to know why thses MAC Addresses are BAD MAC Addresses.
check your /firewall/macs/allowed.macs file, why the character ` is adding as suffix.
Try to use some plain text editor i.e. pico, pine, vi etc might you are using some text editor that is adding those characters.
Also be aware about the illegal symbols & characters (i.e. o ) which are not legal to use as mac address.
regards
compucated
Naik
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan
Contact:

Post by compucated »

mudasir wrote:And one more thing.
I just want to know what does the following lines do....
iptables -t mangle -F maccheck
iptables -t mangle -X maccheck
iptables -t mangle -N maccheck
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
iptables -t mangle -A maccheck -j MARK --set-mark 1
iptables -t mangle -A maccheck -j RETURN
iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81
I found them i a firewall script but dont know the function of these lines.

looking forward for your help
iptables -t mangle -F maccheck
Flushing Chain maccheck at mangle table

iptables -t mangle -X maccheck
Deleting Chain maccheck at mangle table

iptables -t mangle -N maccheck
Creating new chain with name maccheck at mangle table

iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
Jumping All tcp traffic coming from ethernet 2 to chain maccheck at mangle table

iptables -t mangle -A maccheck -j MARK --set-mark 1
Appending traffic to chain machceck with mark 1 (which not matched through allowed macs list)

iptables -t mangle -A maccheck -j RETURN
Returning the packets to stop traveling through the chain

iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81
Redirecting the all tcp mark 1 packets to host 10.10.10.1 port 81
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Salam

Dear Lambda, i tried the commands you have stated above. Now i am getting a different error
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source -j ACCEPT
iptables v1.2.11: Bad mac address `-j'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source -j ACCEPT
iptables v1.2.11: Bad mac address `-j'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source --dport 5100 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source --dport 5100 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source --dport 5000:5010 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source --dport 5000:5010 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source 00:10:b5:43:18:f0 -j ACCEPT
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source 00:10:b5:43:18:f0 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5000:5010 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5000:5010 -j ACCEPT
+ read allowedmac
Now it is not even getting those MAC Addresses. The script is getting almost all the MAC addresses in the FIREWALL except few and those few are making problems for me, now if those MAC addreses are not added in the FIREWALL, INTERNET wont work on them.

Looking Forward For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

step 1: quit editing your files on windows.
step 2: paste the contents of the file.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Salam,
Dear Lambda,

I did edit this file on windows about 1 month back, since than have not even opened it on windows.

I have pasted the my MAC Address Filtering Script above.

and the MAC Address file /Firewall/macs/allowed.macs is as follows
00:16:76:8D:50:2A
00:90:FE:23:19:D4
00:02:A5:83:36:09
00:16:36:e7:6a:da
00:90:27:75:01:C4
00:02:44:36:3C:AA
00:08:C7:84:D0:73
00:00:24:C9:BC:76
00:B0:D0:14:A3:29
00:B0:D0:B5:D6:E0
00:60:08:37:6E:3C
00:0F:1F:B2:ED:96
00:90:27:84:F3:DA
00:D0:B7:27:FC:05
00:90:FE:22:FB:FF
00:0C:F1:D9:C2:D7
00:10:4B:2C:B3:BF
00:01:03:02:75:F8
00:30:4F:04:BE:C9
00:06:29:EF:21:B7
00:80:5F:77:A8:DC
00:01:03:04:D7:86
00:01:02:5F:0F:73
00:01:02:F7:1C:E5
00:01:02:25:29:11
00:13:20:24:88:E2
00:D0:B7:27:4C:E0
00:04:76:BA:9D:E1
00:30:4F:06:FE:43
00:40:B9:53:51:00
00:11:11:05:48:F3
00:0D:56:1F:FB:0D
00:C0:CA:11:ED:DD
4C:00:10:52:35:0F
00:08:C7:81:A0:4B
00:60:08:95:64:65
00:07:E9:F6:AA:CE
00:15:F2:BA:54:54
00:01:03:13:3A:7E
00:06:29:F7:D4:79
4C:00:10:60:DA:DA
00:C0:26:79:DB:67
00:02:44:4B:58:EE
00:05:1C:1A:A3:CA
00:11:D8:FE:69:D0
00:90:FE:22:F9:36
00:16:76:4A:14:C3
00:07:95:C2:BF:3A
00:11:D8:FA:30:A7
00:02:55:30:C1:CB
00:00:1C:DD:7F:2D
00:C0:4F:73:D4:75
00:C0:4F:41:7A:56
00:02:B3:95:84:CB
00:B0:D0:92:F5:BC
00:02:B3:4A:D8:13
00:0B:2B:0B:B3:D5
00:C0:26:79:D7:5C
00:01:02:40:8B:07
00:C0:26:68:B8:AC
00:E0:81:2F:B9:16
00:B0:D0:DB:A1:21
00:0B:DB:42:98:86
00:50:04:B1:8F:77
00:50:DA:0A:6C:0D
00:15:F2:7E:3C:23
00:50:FC:87:A2:32
00:02:44:05:EE:41
00:C0:26:6A:FB:52
00:50:DA:23:BB:A8
00:50:DA:38:7E:11
00:B0:D0:54:5F:58
00:10:b5:43:18:f0
00:10:4B:D1:AE:39
00:50:DA:5B:ae:89
00:08:C7:DB:2D:08
00:04:AC:45:90:AD
Now Looking Forward For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

make sure the first line in the file is not empty.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Salam,

Dear Lambda,
There is no line left empty between any the MAC Address.

I am uploading the whole firewall script, so that you can check the whole script and help me out.

www.geocities.com/cool_mudasir/Firewall.tar.gz

Sequence in which Files Run
1. /Firewall/firewall

The above script run all the other script in a particular manner

Looking Forward For Help.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
compucated
Naik
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan
Contact:

Post by compucated »

beside the fact & amaze, the fact, these scripts were wrote by me several years ago when I was novice with scripting and amaze to see that I never distribute my those novice work so how they reach to you?

anyway, the problem in your case is, there are garbage characters in fourth line of mac.addresses file , that seems to look like just a blank line with general text editors.

Just delete Fourth line and re run the script, the problem will go away.

regards
Post Reply