RE: Allowing access only some sites - onely some mac address

RE: Allowing access only some sites - onely some mac address

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Grant Taylor
> Sent: Monday, August 29, 2005 10:28 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Allowing access only some sites - onely some mac address
> 
> Sebastião Antônio Campos (GWA) wrote:
> > I have a list of the mac address 00:0c:6E:11:E8:B0, 
> 00:D8:02:D8:C8:DF, 
> > 00:E7:05:C9:07:EA............ and and I'd like that only these mac 
> > address could access only the following IP: 200.221.2.128, 
> > 200.221.2.129, 200.221.2.130, 200.221.2.131, 200.205.144.75, 
> > 200.205.144.76. But the other mac address could access everything.
> 
> I would be tempted to do something like the following:
> 
> # Create a new chain to put the allowed sites in for filtered MACs.
> iptables -t filter -N MACFilteredSites
> 
> # Watch for a specific MAC address and jump to said chain on matches.
> iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac 
> --mac-source 00:0c:6E:11:E8:B0 -j MACFilterdSites iptables -t 
> filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 
> 00:D8:02:D8:C8:DF -j MACFilterdSites iptables -t filter -A 
> FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 
> 00:E7:05:C9:07:EA -j MACFilterdSites
> 
> # Only allow the filtered MACs to go to these sites (IP addresses).
> # Note:  We do not need to test for -i and -o interfaces b/c 
> we tested for this before we got to this chain.
> iptables -t filter -A MACFilteredSites -d 200.221.2.128 -j 
> RETURN iptables -t filter -A MACFilteredSites -d 
> 200.221.2.129 -j RETURN iptables -t filter -A 
> MACFilteredSites -d 200.221.2.130 -j RETURN iptables -t 
> filter -A MACFilteredSites -d 200.221.2.131 -j RETURN 
> iptables -t filter -A MACFilteredSites -d 200.205.144.75 -j 
> RETURN iptables -t filter -A MACFilteredSites -d 
> 200.205.144.76 -j RETURN iptables -t filter -A 
> MACFilteredSites -j LOG iptables -t filter -A MACFilteredSites -j DROP
> 
> 
> 
> Grant. . . .
> 

You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time.

If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =)

Derick Anderson

Re: Allowing access only some sites - onely some mac address

[Taylor, Grant]

> You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time.
> 
> If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =)

You are absolutely correct.  So my immediate response to this is do the exact opposite, have the MAC of the computers that are allowed to access any thing other than the sites in question.  As far as needing ARP watch to look for changes in IP, you could watch for the MAC and IP pair of allowed systems.  Sure people could still get around this but they will be breaking other things too.



Grant. . . .

RE: Allowing access only some sites - onely some mac address

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Taylor, Grant
> Sent: Tuesday, August 30, 2005 1:23 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Allowing access only some sites - onely some mac address
> 
> > You may also want to consider getting arpwatch. arpwatch 
> will tell you when a particular user changes their MAC 
> address. MAC spoofing, while more difficult than IP spoofing, 
> is still fairly trivial and particularly in this case where 
> you are using a "blacklist" approach for filtering MACs. So 
> if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get 
> around your rules, I'll get a utility to change my MAC to 
> something that won't trigger your firewall rule, like 
> 10:D8:02:D8:C8:DF, which I can be sure won't collide with 
> another MAC for quite some time.
> > 
> > If the particular users you are trying to filter for aren't very 
> > technical then I wouldn't worry but after two years of being a lab 
> > assistant/server admin for a network security class I tend to be a 
> > little paranoid. =)
> 
> You are absolutely correct.  So my immediate response to this 
> is do the exact opposite, have the MAC of the computers that 
> are allowed to access any thing other than the sites in 
> question.  As far as needing ARP watch to look for changes in 
> IP, you could watch for the MAC and IP pair of allowed 
> systems.  Sure people could still get around this but they 
> will be breaking other things too.
> 
> 
> 
> Grant. . . .

Yes, that is the best way to do things. The university I graduated from
implemented whitelist MAC-based network access very effectively and
would kill your port if you tried getting around it. Having managed
switches helped quite a bit.

Derick

RE: Allowing access only some sites - onely some mac address

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Jiann-Ming Su
> Sent: Tuesday, August 30, 2005 9:50 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: Allowing access only some sites - onely some mac address
> 
> On 8/29/05, Sebastião Antônio Campos (GWA) 
> <sa.campos@datasulsp.com.br>
> wrote:
> > 
> > Dears,
> > 
> > I'd like to allow access only to some sites by some mac address.
> > 
> > For example:
> > 
> > I have a list of the mac address 00:0c:6E:11:E8:B0, 
> 00:D8:02:D8:C8:DF, 
> > 00:E7:05:C9:07:EA............ and and I'd like that only these mac 
> > address could access only the following IP: 200.221.2.128 
> > <http://200.221.2.128>,
> > 200.221.2.129 <http://200.221.2.129>,
> > 200.221.2.130 <http://200.221.2.130>, 200.221.2.131 
> > <http://200.221.2.131>,
> > 200.205.144.75 <http://200.205.144.75>, 
> 200.205.144.76<http://200.205.144.76>. 
> > But the other
> > mac address could access everything.
> 
> 
> 
> IIRC, MAC addresses (layer 2) do not go beyond the router 
> (layer 3). I think you can only do what you are proposing if 
> all your boxes are behind the same broadcast domain.
> 
> --
> Jiann-Ming Su
> "I have to decide between two equally frightening options. 
> If I wanted to do that, I'd vote." --Duckman
> 

That is correct. When a packet passes through a router, it comes out the other side with the router's MAC, not the original computer's MAC. I imagine there's an RFC that goes along with this but I discovered it using MAC filtering on an iptables firewall about a year ago.

Derick Anderson

Allowing access only some sites - onely some mac address

[Sebastião Antônio Campos (GWA)]

Dears,

I'd like to allow access only to some sites by some mac address.

For example:

I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
00:E7:05:C9:07:EA............ and and I'd like that only these mac address
could access only the following IP: 200.221.2.128, 200.221.2.129,
200.221.2.130, 200.221.2.131, 200.205.144.75, 200.205.144.76. But the other
mac address could access everything.

How is the better way to do this??

Thks

Re: Allowing access only some sites - onely some mac address

[Sp0oKeR]

I think ipset is a good idea.

# ipmap
The ipmap set type uses a memory range, where each bit represents one
IP address and can store up to 65535 (B-class network) entries. You
can store same size network addresses in an ipset as well and an IP
address will be in the set if the network address it belongs to can be
found in the set.
# macipmap
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
up to 65535 (B-class network) IP addresses with MAC.

Look http://ipsec.netfilter.org

Att,

Sp0oKeR

On 8/29/05, Sebastião Antônio Campos (GWA) <sa.campos@datasulsp.com.br> wrote:
> Dears,
> 
> I'd like to allow access only to some sites by some mac address.
> 
> For example:
> 
> I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
> 00:E7:05:C9:07:EA............ and and I'd like that only these mac address
> could access only the following IP: 200.221.2.128, 200.221.2.129,
> 200.221.2.130, 200.221.2.131, 200.205.144.75, 200.205.144.76. But the other
> mac address could access everything.
> 
> How is the better way to do this??
> 
> Thks
> 
> 
> 
>

Re: Allowing access only some sites - onely some mac address

[Damon Gray]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1384 bytes --]


Just wanted to point to what I think was the intended website:

http://ipset.netfilter.org


On Mon, 29 Aug 2005, Sp0oKeR wrote:

> I think ipset is a good idea.
>
> # ipmap
> The ipmap set type uses a memory range, where each bit represents one
> IP address and can store up to 65535 (B-class network) entries. You
> can store same size network addresses in an ipset as well and an IP
> address will be in the set if the network address it belongs to can be
> found in the set.
> # macipmap
> The macipmap set type uses a memory range, where each 8 bytes
> represents one IP and a MAC addresses. A macipmap set type can store
> up to 65535 (B-class network) IP addresses with MAC.
>
> Look http://ipsec.netfilter.org
>
> Att,
>
> Sp0oKeR
>
> On 8/29/05, Sebastião Antônio Campos (GWA) <sa.campos@datasulsp.com.br> wrote:
>> Dears,
>>
>> I'd like to allow access only to some sites by some mac address.
>>
>> For example:
>>
>> I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
>> 00:E7:05:C9:07:EA............ and and I'd like that only these mac address
>> could access only the following IP: 200.221.2.128, 200.221.2.129,
>> 200.221.2.130, 200.221.2.131, 200.205.144.75, 200.205.144.76. But the other
>> mac address could access everything.
>>
>> How is the better way to do this??
>>
>> Thks
>>
>>
>>
>>
>
>
>

Re: Allowing access only some sites - onely some mac address

[Sp0oKeR]

 You are right! My bad.

Thanks,

Sp0oKeR

On 8/29/05, Damon Gray <dgray@internap.com> wrote:
> 
> Just wanted to point to what I think was the intended website:
> 
> http://ipset.netfilter.org
> 
> 
> On Mon, 29 Aug 2005, Sp0oKeR wrote:
> 
> > I think ipset is a good idea.
> >
> > # ipmap
> > The ipmap set type uses a memory range, where each bit represents one
> > IP address and can store up to 65535 (B-class network) entries. You
> > can store same size network addresses in an ipset as well and an IP
> > address will be in the set if the network address it belongs to can be
> > found in the set.
> > # macipmap
> > The macipmap set type uses a memory range, where each 8 bytes
> > represents one IP and a MAC addresses. A macipmap set type can store
> > up to 65535 (B-class network) IP addresses with MAC.
> >
> > Look http://ipsec.netfilter.org
> >
> > Att,
> >
> > Sp0oKeR
> >
> > On 8/29/05, Sebastião Antônio Campos (GWA) <sa.campos@datasulsp.com.br> wrote:
> >> Dears,
> >>
> >> I'd like to allow access only to some sites by some mac address.
> >>
> >> For example:
> >>
> >> I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
> >> 00:E7:05:C9:07:EA............ and and I'd like that only these mac address
> >> could access only the following IP: 200.221.2.128, 200.221.2.129,
> >> 200.221.2.130, 200.221.2.131, 200.205.144.75, 200.205.144.76. But the other
> >> mac address could access everything.
> >>
> >> How is the better way to do this??
> >>
> >> Thks
> >>
> >>
> >>
> >>
> >
> >
> >
>

Re: Allowing access only some sites - onely some mac address

[Grant Taylor]

Sebastião Antônio Campos (GWA) wrote:
> I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
> 00:E7:05:C9:07:EA............ and and I'd like that only these mac address
> could access only the following IP: 200.221.2.128, 200.221.2.129,
> 200.221.2.130, 200.221.2.131, 200.205.144.75, 200.205.144.76. But the other
> mac address could access everything.

I would be tempted to do something like the following:

# Create a new chain to put the allowed sites in for filtered MACs.
iptables -t filter -N MACFilteredSites

# Watch for a specific MAC address and jump to said chain on matches.
iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 00:0c:6E:11:E8:B0 -j MACFilterdSites
iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 00:D8:02:D8:C8:DF -j MACFilterdSites
iptables -t filter -A FORWARD -i ${LAN} -o ${INet} -m mac --mac-source 00:E7:05:C9:07:EA -j MACFilterdSites

# Only allow the filtered MACs to go to these sites (IP addresses).
# Note:  We do not need to test for -i and -o interfaces b/c we tested for this before we got to this chain.
iptables -t filter -A MACFilteredSites -d 200.221.2.128 -j RETURN
iptables -t filter -A MACFilteredSites -d 200.221.2.129 -j RETURN
iptables -t filter -A MACFilteredSites -d 200.221.2.130 -j RETURN
iptables -t filter -A MACFilteredSites -d 200.221.2.131 -j RETURN
iptables -t filter -A MACFilteredSites -d 200.205.144.75 -j RETURN
iptables -t filter -A MACFilteredSites -d 200.205.144.76 -j RETURN
iptables -t filter -A MACFilteredSites -j LOG
iptables -t filter -A MACFilteredSites -j DROP



Grant. . . .

Re: Allowing access only some sites - onely some mac address

[Jiann-Ming Su]

On 8/29/05, Sebastião Antônio Campos (GWA) <sa.campos@datasulsp.com.br> 
wrote:
> 
> Dears,
> 
> I'd like to allow access only to some sites by some mac address.
> 
> For example:
> 
> I have a list of the mac address 00:0c:6E:11:E8:B0, 00:D8:02:D8:C8:DF,
> 00:E7:05:C9:07:EA............ and and I'd like that only these mac address
> could access only the following IP: 200.221.2.128 <http://200.221.2.128>, 
> 200.221.2.129 <http://200.221.2.129>,
> 200.221.2.130 <http://200.221.2.130>, 200.221.2.131 <http://200.221.2.131>, 
> 200.205.144.75 <http://200.205.144.75>, 200.205.144.76<http://200.205.144.76>. 
> But the other
> mac address could access everything.



IIRC, MAC addresses (layer 2) do not go beyond the router (layer 3). I think 
you can only do what you are proposing if all your boxes are behind the same 
broadcast domain.

-- 
Jiann-Ming Su
"I have to decide between two equally frightening options. 
If I wanted to do that, I'd vote." --Duckman