MAC Address filter on wireless interface

MAC Address filter on wireless interface

[Steve Comfort]

Hi All,

I have been trying to get MAC address filtering to work on our wireless 
card - so far without success :

The rules I am using are listed below :

     for M in $(cat /etc/mac.allow) ; do
         $IPT -A INPUT -i $WIFI_IF -m mac --mac_source $M -j ACCEPT
     done
     for M in $(cat /etc/mac.allow) ; do
         $IPT -A INPUT -i $WIFI_IF -m mac --mac-source ! $M -j DROP
     done

(I do have CONFIG_IP_NF_MATCH_MAC turned on).

I'm running on an ARM processor with kernel 2.4.21-rmk1

Is it in fact possible to filter on MAC addresses over a WiFi interface, 
or am I doing something stupid?

Best regards
Steve Comfort

Re: MAC Address filter on wireless interface

[Cedric Blancher]

Le lundi 13 mars 2006 à 16:23 +0200, Steve Comfort a écrit :
> I have been trying to get MAC address filtering to work on our wireless 
> card - so far without success :

You should describe the problem. What's not working ? Everything goes
through ? Nothing goes through ?

>      for M in $(cat /etc/mac.allow) ; do
>          $IPT -A INPUT -i $WIFI_IF -m mac --mac-source ! $M -j DROP
>      done

Probable typo here. Do you mean /etc/mac.deny ?
Another hint that comes to mind. Do you really want to filter traffic
destined to this particular box, which is what you do using INPUT
chain ? If you want to filter traffic going through the box, you have to
use FORWARD chain.

> Is it in fact possible to filter on MAC addresses over a WiFi interface, 
> or am I doing something stupid?

Yes it is possible, but you have to consider the fact that MAC filtering
is a very limited feature on y WiFi network. MAC spoofing is very easy
(ifconfig $WIFI_IF hw ether $NEW_MAC) on most drivers and does not cause
any problem or conflict as long as you don't use the IP the guy you're
spoofing does. Thus, you MAC filter can be bypassed very easily...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: MAC Address filter on wireless interface

[Cedric Blancher]

Le mardi 14 mars 2006 à 08:19 +0200, Steve Comfort a écrit :
> mac.allow is a file we create containing permitted MAC addresses. The
> above was just a snippet, I have the same rule in place for the
> FORWARD chain.

OK. Then what I would do is check with an iptables -L -v rules counters
to verify if thoses rules actually match. And if they don't, try to
figure out why. Maybe you have one prior rule that allows all packets,
bypassing this part of the ruleset.

On the other end, I would do a mac.allow file, and put a DROP policy so
you'll never see anything go through until you get the right MAC, and
the right ruleset ;) Maybe another "customer request" ?

> Yeah, I know. Customer requirement unfortunately.

Customers...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!