Jump to content
Login new information ×
Login new information

Need help using iptables to block unmatch IP and MAC

ck_kent

By ck_kent
in Software Chat

Recommended Posts

ck_kent

ck_kent

Posted
Posted

@shought: I appreciate your offer to help.

Well, just like the topic says, my goal is to block unmatch IP and MAC address from accessing the internet or what is called "anti-spoofing".

I'm currently using a Linux router (BrazilFW) with Squid and have DHCP reservations so that the each MAC address will always get its corresponding IP address. I have applied several policies for some groups of these IP's like QOS, Whitelist (Squid), etc. Now, my problem is, one of my users is constantly changing his IP address (static) so that he can bypass these policies.

From searching the internet, I found out that I can use iptables to block unmatch IP/MAC address so that even if the user changes his IP other than what is intended for that network card it will be blocked.

I tried each of these rules below but did not work:

iptables -A FORWARD -s 192.168.1.123 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP

iptables -A INPUT -s 192.168.1.123 -i eth0 -m mac ! --mac-source 00:1A:92:CB:E1:80 -j DROP

I've used iptables in my router to blocked certain https sites and it's working but somehow I can't get the above rules to work.

I'll appreciate all your help. :)

Link to comment
Share on other sites
  • 3 weeks later...
  • Replies 1
  • Views 1.3k
  • Created
  • Last Reply
ck_kent

ck_kent

Posted
  • Author
Posted

Ok, so after several weeks of researching and testing, I think I finally solved my own problem. :rolleyes:

The rule below could also be used in routers installed with DD-WRT since it's Linux based and supports iptables.

iptables -I FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -s ! 192.168.1.100 -j DROP

The above rule basically allows a computer with a MAC address of XX:XX:XX:XX:XX:XX and IP address of 192.168.1.100 to access the internet. It will totally block the computer access to the internet if the user tries to change his IP address to static (other than 192.168.1.100) to bypass imposed policies (QOS or bandwidth limit, black lists, etc.). Therefore, the user has no choice but to let his network card be assigned its designated IP address from the DHCP server. :P

This is working fine for me so far, so I hope it could also help someone here if he faces the same problem.

Cheers!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...