MAC Address Filtering

Protecting your Linux box

MAC Address Filtering

Postby mudasir » Tue Apr 24, 2007 2:50 am

Salam,

Again i am a bit confused about MAC Address Filtering. I came across a DOC that described a very good method for MAC Address Filtering

cat /firewall/macs/allowed.macs | while read allowedmacs
do
$IPTABLES -A INPUT -p ALL -m mac --mac-source $allowedmacs -j ACCEPT
$IPTABLES -A INPUT -p ALL -m mac --mac-source ! $allowedmacs -j DROP
done


I just want to know that will it be able to help me out...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Postby mudasir » Tue Apr 24, 2007 2:58 am

And one more thing.
I just want to know what does the following lines do....

iptables -t mangle -F maccheck
iptables -t mangle -X maccheck
iptables -t mangle -N maccheck
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
iptables -t mangle -A maccheck -j MARK --set-mark 1
iptables -t mangle -A maccheck -j RETURN
iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81


I found them i a firewall script but dont know the function of these lines.

looking forward for your help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Re:

Postby LinuxFreaK » Tue Apr 24, 2007 9:13 am

Dear mudasir,
Salam,

Read Documentation then you will have better understanding.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi

Postby mudasir » Fri Apr 27, 2007 9:44 am

Salam

I have done some work to make my own script of MAC Address Filtering, but getting error of BAD MAC ADDRESS. My MAC Address Filtering Scirpt is below

#!/bin/bash
##################################
### Flusing All IPTABLES Rules ###
##################################

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

########################################
### Setting Default Policies To DROP ###
########################################

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#####################################
### MAC Address Filtering Process ###
#####################################

cat /Firewall/macs/allowed.macs | while read allowedmac
do
iptables -A INPUT -i eth2 -p ALL -m mac --mac-source $allowedmac -j ACCEPT
iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source $allowedmac -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $allowedmac --dport 5100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $allowedmac --dport 5100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $allowedmac --dport 5000:5010 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $allowedmac --dport 5000:5010 -j ACCEPT
done

##############################
### Enabling IP Forwarding ###
##############################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################################
### Rules To Redirect Web Traffic To Squid ###
##############################################

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 8080

#############################################
### Droping All Traffic For Voice And Cam ###
#############################################

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 5100 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p udp --dport 5100 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 5000:5010 -j DROP
iptables -t nat -A PREROUTING -i eth2 -p udp --dport 5000:5010 -j DROP

#########################################
### Accepting Established Connections ###
#########################################

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#############################
### Allow PING Requests ###
#############################

iptables -A FORWARD -s 10.10.10.0/23 -p ICMP -d ! 10.10.10.0/23 -j ACCEPT
iptables -A INPUT -i eth2 -p icmp -j ACCEPT

###############################################################################
### Drop Requests Coming From Internet Claiming To Be From Internal Network ###
###############################################################################

#iptables -A INPUT -i eth1 -s 10.10.10.0/23 -j DROP

iptables -t nat -A PREROUTING -i ! eth2 -s 10.10.10.0/23 -j DROP


Now when i run this script, it gives error
'ptables v1.2.11: Bad mac address `00:B0:D0:85:0A:42

All the MAC Address and not recognised as BAD MAC Addresses, only Few of the MAC Addresses are recognised as BAD Mac Addresses.
And these MAC Addresses are not loaded in the Firewall.

Just want to know why thses MAC Addresses are BAD MAC Addresses.

looking forward for help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Re:

Postby LinuxFreaK » Fri Apr 27, 2007 10:38 am

Dear mudasir,
Salam,

It should work. Try adding below code on the top of your script for debugging.

Code: Select all
set -x


Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi

Postby mudasir » Fri Apr 27, 2007 8:49 pm

Salam,

I have tried it... I am getting following OUTPUT.

+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source $'00:10:4B:2C:B3:BF\r' -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5100 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5100 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5000:5010 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source $'00:10:4B:2C:B3:BF\r' --dport 5000:5010 -j ACCEPT
'ptables v1.2.11: Bad mac address `00:10:4B:2C:B3:BF
Try `iptables -h' or 'iptables --help' for more information.
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source 00:30:4F:04:BE:C9 -j ACCEPT
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source 00:30:4F:04:BE:C9 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5000:5010 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:30:4F:04:BE:C9 --dport 5000:5010 -j ACCEPT


Still dont know why i am getting errors, according to me the file should work. MAC Addresses are written 1 MAC in 1 Line.

Looking Forword For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Postby lambda » Fri Apr 27, 2007 11:31 pm

Code: Select all
tr -d \\015 < /Firewall/macs/allowed.macs > /tmp/am
mv /tmp/am /Firewall/macs/allowed.macs
lambda
Major General
 
Posts: 3451
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore

Postby compucated » Sat Apr 28, 2007 1:55 am

mudasir wrote:Now when i run this script, it gives error
'ptables v1.2.11: Bad mac address `00:B0:D0:85:0A:42

All the MAC Address and not recognised as BAD MAC Addresses, only Few of the MAC Addresses are recognised as BAD Mac Addresses.
And these MAC Addresses are not loaded in the Firewall.

Just want to know why thses MAC Addresses are BAD MAC Addresses.


check your /firewall/macs/allowed.macs file, why the character ` is adding as suffix.
Try to use some plain text editor i.e. pico, pine, vi etc might you are using some text editor that is adding those characters.
Also be aware about the illegal symbols & characters (i.e. o ) which are not legal to use as mac address.
regards
compucated
Naik
 
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan

Postby compucated » Sat Apr 28, 2007 2:15 am

mudasir wrote:And one more thing.
I just want to know what does the following lines do....

iptables -t mangle -F maccheck
iptables -t mangle -X maccheck
iptables -t mangle -N maccheck
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
iptables -t mangle -A maccheck -j MARK --set-mark 1
iptables -t mangle -A maccheck -j RETURN
iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81


I found them i a firewall script but dont know the function of these lines.

looking forward for your help


iptables -t mangle -F maccheck
Flushing Chain maccheck at mangle table

iptables -t mangle -X maccheck
Deleting Chain maccheck at mangle table

iptables -t mangle -N maccheck
Creating new chain with name maccheck at mangle table

iptables -t mangle -I PREROUTING -i eth2 -p tcp -j maccheck
Jumping All tcp traffic coming from ethernet 2 to chain maccheck at mangle table

iptables -t mangle -A maccheck -j MARK --set-mark 1
Appending traffic to chain machceck with mark 1 (which not matched through allowed macs list)

iptables -t mangle -A maccheck -j RETURN
Returning the packets to stop traveling through the chain

iptables -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.10.10.1:81
Redirecting the all tcp mark 1 packets to host 10.10.10.1 port 81
compucated
Naik
 
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan

Postby mudasir » Sat Apr 28, 2007 5:36 am

Salam

Dear Lambda, i tried the commands you have stated above. Now i am getting a different error
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source -j ACCEPT
iptables v1.2.11: Bad mac address `-j'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source -j ACCEPT
iptables v1.2.11: Bad mac address `-j'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source --dport 5100 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source --dport 5100 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source --dport 5000:5010 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source --dport 5000:5010 -j ACCEPT
iptables v1.2.11: Bad mac address `--dport'
Try `iptables -h' or 'iptables --help' for more information.
+ read allowedmac
+ iptables -A INPUT -i eth2 -p ALL -m mac --mac-source 00:10:b5:43:18:f0 -j ACCEPT
+ iptables -A FORWARD -i eth2 -p ALL -m mac --mac-source 00:10:b5:43:18:f0 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5100 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p tcp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5000:5010 -j ACCEPT
+ iptables -t nat -A PREROUTING -i eth2 -p udp -m mac --mac-source 00:10:b5:43:18:f0 --dport 5000:5010 -j ACCEPT
+ read allowedmac


Now it is not even getting those MAC Addresses. The script is getting almost all the MAC addresses in the FIREWALL except few and those few are making problems for me, now if those MAC addreses are not added in the FIREWALL, INTERNET wont work on them.

Looking Forward For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Postby lambda » Sat Apr 28, 2007 12:40 pm

step 1: quit editing your files on windows.
step 2: paste the contents of the file.
lambda
Major General
 
Posts: 3451
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore

Postby mudasir » Sat Apr 28, 2007 3:01 pm

Salam,
Dear Lambda,

I did edit this file on windows about 1 month back, since than have not even opened it on windows.

I have pasted the my MAC Address Filtering Script above.

and the MAC Address file /Firewall/macs/allowed.macs is as follows

00:16:76:8D:50:2A
00:90:FE:23:19:D4
00:02:A5:83:36:09
00:16:36:e7:6a:da
00:90:27:75:01:C4
00:02:44:36:3C:AA
00:08:C7:84:D0:73
00:00:24:C9:BC:76
00:B0:D0:14:A3:29
00:B0:D0:B5:D6:E0
00:60:08:37:6E:3C
00:0F:1F:B2:ED:96
00:90:27:84:F3:DA
00:D0:B7:27:FC:05
00:90:FE:22:FB:FF
00:0C:F1:D9:C2:D7
00:10:4B:2C:B3:BF
00:01:03:02:75:F8
00:30:4F:04:BE:C9
00:06:29:EF:21:B7
00:80:5F:77:A8:DC
00:01:03:04:D7:86
00:01:02:5F:0F:73
00:01:02:F7:1C:E5
00:01:02:25:29:11
00:13:20:24:88:E2
00:D0:B7:27:4C:E0
00:04:76:BA:9D:E1
00:30:4F:06:FE:43
00:40:B9:53:51:00
00:11:11:05:48:F3
00:0D:56:1F:FB:0D
00:C0:CA:11:ED:DD
4C:00:10:52:35:0F
00:08:C7:81:A0:4B
00:60:08:95:64:65
00:07:E9:F6:AA:CE
00:15:F2:BA:54:54
00:01:03:13:3A:7E
00:06:29:F7:D4:79
4C:00:10:60:DA:DA
00:C0:26:79:DB:67
00:02:44:4B:58:EE
00:05:1C:1A:A3:CA
00:11:D8:FE:69:D0
00:90:FE:22:F9:36
00:16:76:4A:14:C3
00:07:95:C2:BF:3A
00:11:D8:FA:30:A7
00:02:55:30:C1:CB
00:00:1C:DD:7F:2D
00:C0:4F:73:D4:75
00:C0:4F:41:7A:56
00:02:B3:95:84:CB
00:B0:D0:92:F5:BC
00:02:B3:4A:D8:13
00:0B:2B:0B:B3:D5
00:C0:26:79:D7:5C
00:01:02:40:8B:07
00:C0:26:68:B8:AC
00:E0:81:2F:B9:16
00:B0:D0:DB:A1:21
00:0B:DB:42:98:86
00:50:04:B1:8F:77
00:50:DA:0A:6C:0D
00:15:F2:7E:3C:23
00:50:FC:87:A2:32
00:02:44:05:EE:41
00:C0:26:6A:FB:52
00:50:DA:23:BB:A8
00:50:DA:38:7E:11
00:B0:D0:54:5F:58
00:10:b5:43:18:f0
00:10:4B:D1:AE:39
00:50:DA:5B:ae:89
00:08:C7:DB:2D:08
00:04:AC:45:90:AD


Now Looking Forward For Help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Postby lambda » Sat Apr 28, 2007 4:46 pm

make sure the first line in the file is not empty.
lambda
Major General
 
Posts: 3451
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore

Postby mudasir » Sat Apr 28, 2007 7:23 pm

Salam,

Dear Lambda,
There is no line left empty between any the MAC Address.

I am uploading the whole firewall script, so that you can check the whole script and help me out.

www.geocities.com/cool_mudasir/Firewall.tar.gz

Sequence in which Files Run
1. /Firewall/firewall

The above script run all the other script in a particular manner

Looking Forward For Help.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai

Postby compucated » Sun Apr 29, 2007 1:22 am

beside the fact & amaze, the fact, these scripts were wrote by me several years ago when I was novice with scripting and amaze to see that I never distribute my those novice work so how they reach to you?

anyway, the problem in your case is, there are garbage characters in fourth line of mac.addresses file , that seems to look like just a blank line with general text editors.

Just delete Fourth line and re run the script, the problem will go away.

regards
compucated
Naik
 
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan

Next

Return to Security

Who is online

Users browsing this forum: No registered users and 0 guests