IPTables rule to filter on ethernet address

ethernetiptables

I've a script to automatically block internet access after 11pm (23:00) and restore it at 6am (06:00). The script adds and remove some drop rules in iptables.

Unfortunately the filtering rule refers to the IP address. Since the user may easily change its ip address by hand he may thus bypass the filter.

The question is if its possible to define an IP table DROP rule that filters on ethernet address ?

PS: I expect an example as answer, not a simple yes or no ! 😉

Best Answer

In short:

iptables -A INPUT -m mac --mac-source 00:0C:F1:6C:CC:7D -j DENY
iptables -A INPUT -m mac --mac-source 00:E0:29:17:7E:78 -j DENY
iptables -A INPUT -m mac --mac-source 00:A0:CC:D4:FE:A7 -j DENY

Perhaps PREROUTING or FORWARD as appropriate for the chain, and ACCEPT not deny if you want a whitelist.

The man page fo iptables is your friend.

Related Solutions

Iptables Routing – Target to Route Packet to Specific Interface

I've recently hit a similar issue, albeit a slightly different. I wanted to route only TCP port 25 (SMTP) over an OpenVPN tap0 interface, while routing all other traffic (even for the same host) over the default interface.

To do so, I had to mark packets and set up rules for handling it. First, add a rule that make the kernel route packets marked with 2 through table 3 (explained later):

ip rule add fwmark 2 table 3

You could have added a symbolic name to /etc/iproute2/rt_tables, but I did not bother to do so. The number 2 and 3 are randomly chosen. In fact, these can be the same but for clarity I did not do it in this example (although I do it in my own setup).

Add a route for redirecting traffic over a different interface, assuming the gateway being 10.0.0.1:

ip route add default via 10.0.0.1 table 3

Very important! Flush your routing cache, otherwise you will not get a response back and sit with your hands in your hair for some hours:

ip route flush cache

Now, set a firewall rule for marking designated packets:

iptables -t mangle -A OUTPUT -p tcp --dport 465 -j MARK --set-mark 2

The above rule applies only if the packets come from the local machine. See http://inai.de/images/nf-packet-flow.png. Adjust it to your requirements. For instance, if you only want to route outgoing HTTP traffic over the tap0 interface, change 465 to 80.

To prevent the packets sent over tap0 getting your LAN address as source IP, use the following rule to change it to your interface address (assuming 10.0.0.2 as IP address for interface tap0):

iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to-source 10.0.0.2

Finally, relax the reverse path source validation. Some suggest you to set it to 0, but 2 seems a better choice according to https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt. If you skip this, you will receive packets (this can be confirmed using tcpdump -i tap0 -n), but packets do not get accepted. The command to change the setting so packets get accepted:

sysctl -w net.ipv4.conf.tap0.rp_filter=2

Linux – Filtering input with iptables: -i versus -d

I would suggest refactoring your rules to use interface identifiers instead of individual IPs. It's much easier to manage that way.

Assigning multiple IPs to a given network interface is becoming more common, and could be quite common indeed with increasing implementation of IPv6 in environments with multiple ISP uplinks.

While yours appears that it may be operating as a router, under proper IPv6 implementations there is no NAT. This would require IP assignments on all connected interfaces for each of your uplink networks.

No time like the present to get ready for it.

Best Answer

Related Solutions

Iptables Routing – Target to Route Packet to Specific Interface

Linux – Filtering input with iptables: -i versus -d

Related Topic