Security – IPTABLES allow forward only from specific outside MAC to specific inside IP

forwardingiptablesroutingSecurity

It is possible to create iptables rule, that allows access from outside net (behind wan eth0) from specific MAC address, to only specific IP address behind the inside adapter (safe lan eth1) ?

Model:

10.0.1.2 <- 10.0.1.1 <- FW <- 192.168.1.15 <- 08:00:00:00:01:00

SAFE LAN IP <- ROUTER LAN <- FORWARD RULE <- ROUTER WAN <- ALLOWED MAC

The router should do only the filtering.
Safe lan IP's should be accessible only from hand coded outside MAC's.
Perhaps on specific port.
There is no need to communicate from safe lan to outside.

Purpose of this is crete safe Extra-LAN with only NAS devices, and protect them from unattended access from normal LAN through MAC addresses filter.

Best Answer

It looks that only possible option is to use these two rules in FORWARD chain in FILTER table:

ipconfig -A FORWARD -m mac --mac-source 08:00:00:00:01:00 -j ACCEPT
ipconfig -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

because the lack of --mac-destiantion option in iptables

IPTABLES configuration is strict DROP to disable any other traffic:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

it can (should) be reconditioned with input and output interfaces, ip addresses, port numbers and such features to harden access through the FORWARD chain and also router self

Best Answer

Related Solutions

How to configure linux routing to send packets out through the same interface they were received on

Linux – Port forward + openVPN + iptables

Related Topic