Using Ipset and Iptables for MAC address filtering
5,356
Basically something like this, but you have to associate an IP with a MAC, pure MAC sets do not seem to exist:
# ipset --create test macipmap --network 10.0.0.0/16
# ipset --add test 10.0.0.1,00:11:22:33:44:55
# iptables -A INPUT -i eth5 -m set --match-set test src -j ACCEPT
Here, you see the content of the map and the reference-counter indicating an iptables rule referencing this set:
# ipset -L test
Name: test
Type: macipmap
References: 1
Header: from: 10.0.0.0 to: 10.0.255.255
Members:
10.0.0.1,00:11:22:33:44:55
There are some things to consider:
- That type of set is technically restricted to 64k consecutive addresses (not sure whether they have to be "subnet-aligned"), found it here
- Your kernel has to support ipset, most common standard distribution kernels unfortunately do not
- You could set static ARP alternatively
- MAC addresses can be spoofed easily
Related videos on Youtube
Author by
clemens utschig
Updated on September 18, 2022Comments
-
clemens utschig over 1 year
I use MAC address filtering on my Linux router. Here is what I have done:
iptables -A INPUT -i eth5 -m mac --mac-source 00:07:e9:84:2b:99 -j RETURN #User: Someuser iptables -A INPUT -i eth5 -j DROP
But the Iptables rule list is huge with more than 400 entries. Recently I read about the advantages of using Ipset with Iptables here. But nowhere I have found any howtos about doing same thing with MAC filtering. So how can I use Ipset for MAC filtering in order to reduce the size of Iptables rule table.
-
Michuelnik almost 12 yearsFound out today, that ipset has been added to the vanilla kernel since 2.6.39!