iptables restrict ssh session by mac address
7,409
I see the problem from your output result:
Chain INPUT (policy ACCEPT)
Your system iptables default INPUT chain rule policy is ACCEPT, it does affect your inputed MAC only. So please change its default policy to DROP.
#iptables -P INPUT DROP
Now you can test again. Your computer can be accessed through allowed MAC only.
Related videos on Youtube
Author by
maneeshshetty
Updated on September 18, 2022Comments
-
maneeshshetty over 1 year
I'm in the process of restricting access to my Linux production box, where ssh access needs to be limited to only a few MAC addresses.
I've followed the instructions outlined in this guide and ran the following two commands:
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP /sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
root@xxxx:~/#: iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere MAC XX:XX:XX:XX:XX:XX ACCEPT tcp -- anywhere anywhere tcp dpt:ssh MAC XX:XX:XX:XX:XX:XX Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
However I am still able to access the machine from other MAC addresses. Am I missing any steps to get this configured?
-
xciter almost 13 yearsWhy would you do it from a MAC address since they can easily be spoofed?
-
maneeshshetty almost 13 yearsSo, are there any other best options to do it?
-
mrverrall almost 13 yearsHow about IP address?
-
maneeshshetty almost 13 yearsMy ipaddress are leased by DHCP server for 2 days. So if someone goes for vacation, then it will be problem for me.
-
maneeshshetty almost 13 yearsCan we do it wit the hostname on hosts.allow file. Any direction?
-
Doug Harris almost 13 yearsIf your primary goal is limiting access, how about requiring SSH keys and disabling password authentication?
-
xciter almost 13 yearsI agree with the previous comment. I also suggest to increase the verification delay for the log-in procedure.
-