Block/Accept by MAC Address

Block/Accept by MAC Address

[Jim Gifford]

Is it possible to block or accept information from specific MAC Addresses.

Here is what I would like to do. Is to create a exempt and complete block
policy by mac address. I have a guy who keeps hacking my machine and his IP
address is always changing and so does his hostname. The only thing that was
common was his MAC address.

Thank you in advance for your help.

Re: Block/Accept by MAC Address

[Joel Newkirk]

On Monday 30 September 2002 09:33 pm, Jim Gifford wrote:
> Is it possible to block or accept information from specific MAC Addresses.
>
> Here is what I would like to do. Is to create a exempt and complete block
> policy by mac address. I have a guy who keeps hacking my machine and his IP
> address is always changing and so does his hostname. The only thing that
> was common was his MAC address.
>
> Thank you in advance for your help.

For the preparation- and research-impaired, read the oft-referenced tutorial at:
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html

especially section 5.4.3.1 about the "iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01" usage... (for
the keyboard impaired, try http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#AEN1864 )

Or any of at least a dozen other places I could think of offhand. For the search-impaired:
http://www.google.com/linux?hl=en&lr=&ie=ISO-8859-1&q=iptables+mac&num=100

j

Re: Block/Accept by MAC Address

[Hanz F.]

Your situation is similar to mine, and this is what I
did :

******************************************
#eth0 has the IP 192.168.3.133 which is connected 
#to the internet.

iptables -t nat -P POSTROUTING DROP
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to
192.168.3.133


iptbales -P INPUT DROP
iptbales -P FORWARD DROP
iptbales -P OUTPUT ACCEPT

#list here all your clients who are allowed to hace
#access

iptables -A INPUT -p all -s client -m mac --mac-source
client's mac -j ACCEPT
iptables -A FORWARD -p all -s client -m mac
--mac-source client's mac -j ACCEPT

#then block anyone else
iptables -A INPUT -p all -s 0/0 -j DROP
iptables -A FORWARD -p all -s 0/0 -j DROP

************************************************

U can also allow all people and block the buy u want
but in this case he may change his network card and
will be able to have access again.

The problem here (and with every iptables rule) that
ur clients will not be able to use some internet
applications like ICQ, IRC,yahoo messenger ,...... and
that's what I am looking for.
Some guys here have informed me that it's posiible to
use IRC and FTP by using related modules, but it seems
there's no modules to other applications.





__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

Re: Block/Accept by MAC Address

[Anders Fugmann]

Jim Gifford wrote:
> Is it possible to block or accept information from specific MAC Addresses.
> 
> Here is what I would like to do. Is to create a exempt and complete block
> policy by mac address. I have a guy who keeps hacking my machine and his IP
> address is always changing and so does his hostname. The only thing that was
> common was his MAC address.
> 
> Thank you in advance for your help.
> 
> 
If this person is hacking you from the internet, you cannot use the mac 
address for filtering. The MAC addres on a packet is changed each time 
the packet packet traverses through a router, and this you will always 
see the same mac address on packets comming through your ISP.

If he is hacking you from withing you lan, I suggest cutting his wire.
(Alternativly use: iptables -t mangle -T PREROUTING -m mac --mac-source 
XX:XX:XX:XX:XX:XX -j DROP)

Regards
Anders Fugmann
-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: Block/Accept by MAC Address

[Antony Stone]

On Tuesday 01 October 2002 2:33 am, Jim Gifford wrote:

> Is it possible to block or accept information from specific MAC Addresses.
>
> Here is what I would like to do. Is to create a exempt and complete block
> policy by mac address. I have a guy who keeps hacking my machine and his IP
> address is always changing and so does his hostname. The only thing that
> was common was his MAC address.

Where is this guy coming from when he attacks your machine ?

If he is on your local network, I suggest you go beat him up for attacking 
your system.

If he is not on your local network, you cannot track him by MAC address - all 
you will see is the MAC address of the router on your network which he's 
coming in through.

Antony.

-- 

I vote "no" to this proposal to form a committee to investigate whether we 
should or should not hold a ballot on whether to vote yet.

Re: Block/Accept by MAC Address

[Antony Stone]

On Tuesday 01 October 2002 2:33 am, Jim Gifford wrote:

> I have a guy who keeps hacking my machine and his IP
> address is always changing and so does his hostname.

How is he hacking your machine ?   What is accessible on your system for him 
to have a go at ?

A firewall is not the answer to every problem.

Antony.

-- 

There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

Re: Block/Accept by MAC Address

[Jim Gifford]

This guy is moving around from IP's and different addresses. The main thing
I noticed is that I have numerous connections with keep-alives on my Apache
and Proftp server. Here is an example of what I have been noticing.
67.234.6.201,1032     64.30.195.78,21       tcp     ESTABLISHED  119:59:59
67.234.6.201,1121     64.30.195.78,21      tcp     ESTABLISHED  119:55:55
67.234,6,201,1692    64.4.13.144,1863      tcp     ESTABLISHED  119:50:52
67,234,6,201,1695    64.4.13.144,1863      tcp     ESTABLISHED  119:49:12

I usually have about 10 or 15 of these from his IP range. I just figured
blocking his MAC would be a option, since they are unique.


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 01, 2002 3:31 AM
Subject: Re: Block/Accept by MAC Address


> On Tuesday 01 October 2002 2:33 am, Jim Gifford wrote:
>
> > I have a guy who keeps hacking my machine and his IP
> > address is always changing and so does his hostname.
>
> How is he hacking your machine ?   What is accessible on your system for
him
> to have a go at ?
>
> A firewall is not the answer to every problem.
>
> Antony.
>
> --
>
> There are only 10 types of people in the world:
> those who understand binary notation,
> and those who don't.
>
>

Re: Block/Accept by MAC Address

[Antony Stone]

On Tuesday 01 October 2002 11:48 pm, Jim Gifford wrote:

> This guy is moving around from IP's and different addresses. The main thing
> I noticed is that I have numerous connections with keep-alives on my Apache
> and Proftp server. Here is an example of what I have been noticing.
> 67.234.6.201,1032     64.30.195.78,21       tcp     ESTABLISHED  119:59:59
> 67.234.6.201,1121     64.30.195.78,21      tcp     ESTABLISHED  119:55:55
> 67.234,6,201,1692    64.4.13.144,1863      tcp     ESTABLISHED  119:50:52
> 67,234,6,201,1695    64.4.13.144,1863      tcp     ESTABLISHED  119:49:12
>
> I usually have about 10 or 15 of these from his IP range. I just figured
> blocking his MAC would be a option, since they are unique.

Okay - I think you have a different definition of "hacking" than I have - you 
seem to mean he's just setting up connections to public services and possibly 
filling your connection table, but not otherwise breaking any protocols, 
exploiting any vulnerabilities, or actually getting unauthorised access to 
anything on the machine.

Considering the IP addresses you've shown above, where he's on a 67... 
network and you're on a 64... network, this is definitely not a local attack, 
and therefore you cannot block by MAC address.

Just to make sure I'm correct on this, please can you check the MAC address 
of a few legitimate connections which are coming in to the same machine - I'm 
pretty sure you'll find they are the same as well, because I believe that the 
MAC address you are seeing is your local router to the Internet.

As a couple of us mentioned in recent postings in this thread, you cannot use 
MAC address to identify someone who is not on your local network, and if this 
guy *is* on your local network, we suggest you walk round to him and either 
ask him nicely to stop what he's doing, unplug his network connection, or do 
whatever else is necessary to get him to cease being a pain.

Antony.

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.netfilter.org>
> Sent: Tuesday, October 01, 2002 3:31 AM
> Subject: Re: Block/Accept by MAC Address
>
> > On Tuesday 01 October 2002 2:33 am, Jim Gifford wrote:
> > > I have a guy who keeps hacking my machine and his IP
> > > address is always changing and so does his hostname.
> >
> > How is he hacking your machine ?   What is accessible on your system for
>
> him
>
> > to have a go at ?
> >
> > A firewall is not the answer to every problem.
> >
> > Antony.

-- 

Which part of 'apt-get dist-upgrade' do you not understand ???