Configure MAC based Filtering using Iptables in Linux

Written by
Rahul K.
Security 2 Comments

Security of data always have in top of priorities for systems administrator’s. Systems admin’s always tries to keep all the ports close for public used which is not required. But some times we are in require to allow some of our external users or clients to server via remote login. In that case we need to open firewall ports. Generally we use IP addresses to allow/deny a client via iptables, but it’s not necessary that each client has static ip on their side. In that case its hard to open port time to time for their ips. In this situation we can use MAC based filtering in iptables as we know that MAC addresses are fixed and can’t be changed. MAC addresses are also knows as physical/hardware address of network interface card.

Iptables has a module, which provides mac based filtering of packets on specific ports. This article will help you to how to configure iptables to filter traffic based on MAC addresses.

1. Allow Full Access to specific MAC

Below command will allow all ports access to system having physical address 3E:D7:88:A6:66:8E.

# iptables -I INPUT -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT
2. Allow/Deny SSH Access to Specific MAC

Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.
To allow:

# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT

To Deny:

# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j REJECT
3. Restrict SSH to Everyone Except Specific MAC

Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.

# iptables -I INPUT -p tcp --port 22 -m mac ! --mac-source 3E:D7:88:A6:66:8E -j REJECT

References:
About MAC Address: http://en.wikipedia.org/wiki/MAC_address
For Iptables: http://en.wikipedia.org/wiki/Iptables

Rahul K.
Rahul K.
Connect on Facebook Connect on Twitter Connect on Google+

I, Rahul Kumar is the founder and chief editor of TecAdmin.net. I am Red Hat Certified Engineer (RHCE) and working as IT professional since 2009.

Related Posts

2 Comments

  1. Anderlan Reply to Anderlan
    July 11, 2016 at 6:58 am

    Would you break down each one of those lines? I have a stank ass Chines DVR that tries to tell external IP its whereabouts whenever it’s on (ARP who has DVR’s address please tell particular IP in Michigan or some shite). I’d like to just say, don’t forward anything from stank DVR mac, ever.

    • Anderlan Reply to Anderlan
      July 11, 2016 at 7:05 am

      PS I’ve got some IP cams I want to set up in motion, too. I reckon they might try this funny business also. Pretty much any IoT thing I ever own, I want to just simply quash from ever getting on the internet at the MAC level. Just to have a simple policy and not worry any more. (All their business will be handled at my home server and it can handle any archival backup to the cloud (my VM) in its own custom way, thank you very much, conventional IoT setup.)

Leave a Reply

All rights reserved. © 2017 TecAdmin.net. This site uses cookies. By using this website you agree our term and services
Close
Please support the site
By clicking any of these buttons you help our site to get better
|
|
Hosted @DigitalOcean