A secure router, by MAC address

A secure router, by MAC address

[jgalvez]

I am trying to setup a router, that forwards traffic from one interface
for only a specific set of MAC addresses.

Users on eth1 side will use a static IP address with a known MAC
address. DHCP will be running on eth1 for rogue users. If the source IP
is 10.0.0.0/8 all port 80 traffic needs to be redirected to localhost
port 80. ONLY traffic from a listed IP and MAC should be allowed to be
forwarded out.

I need some recommendation on how to accomplish this.  If you could
point me to a similar example or something I can figure it out . The
more specific the better.  I have a few of my notes and attempts below.

TIA
-Josh

eth0:
 -Allow all traffic, in and out
eth1:
 -Allow all DHCP traffic - something like below
  #iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 \
  -j ACCEPT
 -Allow all incoming traffic by source IP and MAC address
  #iptables -A PREROUTING -i eth1 -t mangle -m mac \
  --source 208.5.x.242 --mac-source 00:30:65:0e:91:d6 -j ACCEPT
 -Redirect all port 80 traffic from 10.0.0.0/8 to localhost:80
 -Drop all other incoming traffic
  #iptables -A PREROUTING -i eth1 -t mangle -j DROP

	

Re: A secure router, by MAC address

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]

Hi,

It really looks like you want to distinguish between well know users and
a set of mobile users.
NuFW (http://www.nufw.org) is done to distinguish between users because
it's an authentication firewall. It authenticates connection in a secure
manner, so you're sure of the identity of users that you let go accross
your firewall.

You can easily manage to build a solution comparable to the one you
describe below with NuFW. With more flexibility and more security.

On Wed, 2004-10-20 at 12:46 -0600, jgalvez@webpipe.net wrote:
> I am trying to setup a router, that forwards traffic from one interface
> for only a specific set of MAC addresses.
> 
> Users on eth1 side will use a static IP address with a known MAC
> address. DHCP will be running on eth1 for rogue users. If the source IP
> is 10.0.0.0/8 all port 80 traffic needs to be redirected to localhost
> port 80. ONLY traffic from a listed IP and MAC should be allowed to be
> forwarded out.
> 
> I need some recommendation on how to accomplish this.  If you could
> point me to a similar example or something I can figure it out . The
> more specific the better.  I have a few of my notes and attempts below.
> 
> TIA
> -Josh
> 
> eth0:
>  -Allow all traffic, in and out
> eth1:
>  -Allow all DHCP traffic - something like below
>   #iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 \
>   -j ACCEPT
>  -Allow all incoming traffic by source IP and MAC address
>   #iptables -A PREROUTING -i eth1 -t mangle -m mac \
>   --source 208.5.x.242 --mac-source 00:30:65:0e:91:d6 -j ACCEPT
>  -Redirect all port 80 traffic from 10.0.0.0/8 to localhost:80
>  -Drop all other incoming traffic
>   #iptables -A PREROUTING -i eth1 -t mangle -j DROP

BR,
-- 
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: A secure router, by MAC address

[jgalvez]

Eric,

I looked into NuFW, but it seems more complex that what I need.  The
biggest drawback to it is the requirement for each client to be running
authentication software.

All I really need are a few specific rules, if traffic is coming in on
this interface from this IP and mac, allow it, otherwise redirect ts
localhost if destination port is 80.

-Josh

On Wed, 2004-10-20 at 13:12, Eric Leblond wrote:
> Hi,
> 
> It really looks like you want to distinguish between well know users and
> a set of mobile users.
> NuFW (http://www.nufw.org) is done to distinguish between users because
> it's an authentication firewall. It authenticates connection in a secure
> manner, so you're sure of the identity of users that you let go accross
> your firewall.
> 
> You can easily manage to build a solution comparable to the one you
> describe below with NuFW. With more flexibility and more security.

> BR,

Re: A secure router, by MAC address

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1556 bytes --]

On Wed, 2004-10-20 at 13:28 -0600, jgalvez@webpipe.net wrote:
> Eric,
> 
> I looked into NuFW, but it seems more complex that what I need.  The
> biggest drawback to it is the requirement for each client to be running
> authentication software.

Well, it seems the new no client mode was really awaited ;-)

NuFW 0.9.5 was released today bringing the possibility to do
authentication without client. The main problem is that for the moment,
only an ident module is provided ... If you only use Linux on your PC,
it can be a solution. If it is not the case, then it will only be a
solution when the work on "microsoft" module will be finished.

BR,

> 
> All I really need are a few specific rules, if traffic is coming in on
> this interface from this IP and mac, allow it, otherwise redirect ts
> localhost if destination port is 80.
> 
> -Josh
> 
> On Wed, 2004-10-20 at 13:12, Eric Leblond wrote:
> > Hi,
> > 
> > It really looks like you want to distinguish between well know users and
> > a set of mobile users.
> > NuFW (http://www.nufw.org) is done to distinguish between users because
> > it's an authentication firewall. It authenticates connection in a secure
> > manner, so you're sure of the identity of users that you let go accross
> > your firewall.
> > 
> > You can easily manage to build a solution comparable to the one you
> > describe below with NuFW. With more flexibility and more security.
> 
> > BR,
> 
-- 
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: A secure router, by MAC address

[Jason Opperisano]

On Wed, Oct 20, 2004 at 12:46:06PM -0600, jgalvez@webpipe.net wrote:
> I am trying to setup a router, that forwards traffic from one interface
> for only a specific set of MAC addresses.
> 
> Users on eth1 side will use a static IP address with a known MAC
> address. DHCP will be running on eth1 for rogue users. If the source IP
> is 10.0.0.0/8 all port 80 traffic needs to be redirected to localhost
> port 80. ONLY traffic from a listed IP and MAC should be allowed to be
> forwarded out.

# create new chain to mark known MAC/IP pairs
iptables -t mangle -N mark_known_hosts

# go to that chain first
iptables -t mangle -A PREROUTING -i eth1 -j mark_known_hosts

# mark known MAC/IP pairs
iptables -t mangle -A mark_known_hosts -m mac --mac-source XX:XX:XX:XX:XX:XX \
  -s w.x.y.z -j MARK --set-mark 1

# redirect unmarked 10.0.0.0/8 port 80 traffic to localhost
iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -s 10.0.0.0/8 \
  --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 80

# allow unmarked 10.0.0.0/8 port 80 traffic to localhost
iptables -A INPUT -i eth1 -p tcp --syn -s 10.0.0.0/8 \
  --dport 80 -m mark ! --mark 1 -j ACCEPT

# allow marked traffic to be forwarded out
iptables -A FORWARD -i eth1 -m mark --mark 1 -j ACCEPT

this example only points out the general concept--this is (obviously)
not a complete firewall ruleset--but should point you in one of many
"right" directions.

-j

-- 
Jason Opperisano <opie@817west.com>