Home network to accept only certain MAC addresses from LAN
Solution 1
As I mentioned in the comments, I don't think this buys you any real security, or even any more security than blocking based on IP, but something like this should do it:
/sbin/iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
Assuming, of course, that your default policy is DROP.
Solution 2
Here is a start for you:
iptables -P FORWARD DROP
iptables -I FORWARD -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -I FORWARD -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:BB -j ACCEPT
iptables -P INPUT DROP
iptables -I INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -I INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:BB -j ACCEPT
All mac addresses other than XX:XX:XX:XX:XX:XX
and XX:XX:XX:XX:XX:BB
will not be able to access your router or the internet.
Solution 3
( I am user63709; somehow my Google OpenID login and MyOpenID login got split, when it's actually the same in Stack Overflow)
arptables
has its own policy. Do not confuse it with iptables
's policy.
Since you want to "restric [sic] eth1 to accept only packets from certain MAC addresses and drop the rest", you will want a default DROP policy.
(BTW, I made a slight mistake in the arptables rules above. They should be:)
arptables -P IN DROP
arptables -A IN -i eth1 --source-mac <allowed_mac_address> -j ACCEPT
arptables -A IN -i eth1 --source-mac <allowed_mac_address> -j ACCEPT
... and so on ...
(Note again, that IN
is a built-in chain specifically found only in arptables. Read arptables' man page for more information).
Related videos on Youtube
Pablo
Updated on September 17, 2022Comments
-
Pablo almost 2 years
I have Ubuntu 10 as router with WAN(eth0) and LAN(eth1). How can I restric eth1 to accept only packets from certain MAC addresses and drop the rest? I am also about to setup DHCP to certain MAC addresses, however, anyone can manually set IP address. I have like 4-6 my own devices which can use the network.
-
Insyte over 13 yearsFWIW, anyone can manually set MAC addresses, too.
-
Pablo over 13 yearsBut they can hardly guess the ones I'm using :)
-
Pablo over 13 yearssniff wifi? it's not so hostile environment :) Wired network is not accessible. I'm connected through Wifi bridge and need to restrict uninvited guests from wifi.
-
Insyte over 13 yearsYes, sniff wifi. It's easier than sniffing wired in that it doesn't require physical access. The client MAC is sent in the clear even on WPA networks. (You are using WPA2, yes? WEP is... silly.)
-
Shinu John over 10 years@Insyte Whitelisting wired cards should prevent that, no? Not saying it should be the only layer...
-
-
Pablo over 13 yearsdoes it really have to be also in FORWARD table? In which cases it might work?
-
Pablo over 13 yearshow to negate mac address if default policy is ACCEPT?
-
Pablo over 13 yearswell, how to negate the way that if NOT specified mac, then DROP?
-
Pablo over 13 yearsFor some reason it worked during the testing, but didn't work when I put it on startup... no internet connection at all.
-
pepoluan over 13 years@Michael that's strange... where did you put the arptables commands? the only reason I can think of: the
-P IN DROP
works, but the-A IN -i eth1
rules failed because the arptables commands got called before eth1 is fully up. try placing the commands in/etc/rc.local
. don't forget to put in the full path to arptables (/sbin/arptables
IIRC) -
Pablo over 13 yearsI put it the same place (above) iptables init, in
/etc/NetworkManager/dispatcher.d/01ifupdown
. Again, it works when I just run the script from shell. I tried alsorc.local
. Anyway, I've used iptables for that as mentioned here. Will upvote your answer as well, as it was useful to know! Thx -
pepoluan over 13 years@Michael hmmmm... really strange... another thing I can think of is the difference of the shell used by the startup scripts (
sh
instead ofbash
). you're not using bash-specific syntax, are you?