June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.11. Controlling Access by MAC Address
Problem
You want only a particular machine, identified by its MAC address, to access your system.
Solution
# iptables -F INPUT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab -j ACCEPT # iptables -A INPUT -j REJECT
ipchains does not support this feature.
Discussion
This technique works only within your local subnet. If you receive a packets from a machine outside your subnet, it will contain your gateway’s MAC address, not that of the original source machine.
MAC addresses can be spoofed. Suppose you have a machine called mackie whose MAC address is trusted by your firewall. If an intruder discovers this fact, and mackie is down, the intruder could spoof mackie’s MAC address and your firewall would be none the wiser. On the other hand, if mackie is up during the spoofing, its kernel will start screaming (via syslog) about duplicate MAC addresses.
Note that our recipe permits local connections from your own host; these arrive via the loopback interface.
See Also
iptables(8), ipchains(8).