Security of data always have in top of priorities for systems administrator’s. Systems admin’s always tries to keep all the ports close for public used which is not required. But some times we are in require to allow some of our external users or clients to server via remote login. In that case we need to open firewall ports. Generally we use IP addresses to allow/deny a client via iptables, but it’s not necessary that each client has static ip on their side. In that case its hard to open port time to time for their ips. In this situation we can use MAC based filtering in iptables as we know that MAC addresses are fixed and can’t be changed. MAC addresses are also knows as physical/hardware address of network interface card.
Iptables has a module, which provides mac based filtering of packets on specific ports. This article will help you to how to configure iptables to filter traffic based on MAC addresses.
1. Allow Full Access to specific MAC
Below command will allow all ports access to system having physical address 3E:D7:88:A6:66:8E.
# iptables -I INPUT -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
2. Allow/Deny SSH Access to Specific MAC
Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.
To allow:
# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
To Deny:
# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j REJECT
3. Restrict SSH to Everyone Except Specific MAC
Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.
# iptables -I INPUT -p tcp --port 22 -m mac ! --mac-source 3E:D7:88:A6:66:8E -j REJECT
References:
About MAC Address: http://en.wikipedia.org/wiki/MAC_address
For Iptables: http://en.wikipedia.org/wiki/Iptables
2 Comments
Would you break down each one of those lines? I have a stank ass Chines DVR that tries to tell external IP its whereabouts whenever it’s on (ARP who has DVR’s address please tell particular IP in Michigan or some shite). I’d like to just say, don’t forward anything from stank DVR mac, ever.
PS I’ve got some IP cams I want to set up in motion, too. I reckon they might try this funny business also. Pretty much any IoT thing I ever own, I want to just simply quash from ever getting on the internet at the MAC level. Just to have a simple policy and not worry any more. (All their business will be handled at my home server and it can handle any archival backup to the cloud (my VM) in its own custom way, thank you very much, conventional IoT setup.)