IP + MAC filter - wireless client

IP + MAC filter - wireless client

[varun_saa]

Hello,
     My server is on Mandriva 10.1
eth0 is WAN with static IP connected to 512K DSL
eth1 is LAN - 192.168.0.0/24 and 192.168.21.0/24

I want to use IP + MAC filtering to allow/deny
clients acces to net as follows.

A FORWARD -i eth1 -o eth0 -s 192.168.0.5 \
-m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

How do you handle a client connected to the LAN
via wireless. In such a case there will be more
than one MAC address in the route.

Can you have multiple MAC in one rule or it is better
to have multiple rule for the same IP for each MAC.

Thanks in advance

Varun

Re: IP + MAC filter - wireless client

[Taylor, Grant]

> How do you handle a client connected to the LAN
> via wireless. In such a case there will be more
> than one MAC address in the route.

How are you going to have more than one (source) MAC address?  If you are routing then the MAC address that will be seen by the IPTables firewall will be the MAC address of the router that is doing the routing for you, not the MAC of the wireless card.  If you are using an AP that is in bridging mode the MAC that will be seen by the IPTables firewall should be the MAC address of the physical wireless card, not of the AP/Bridge.  The MAC of the AP/Bridge only comes in to play when you connect to it's management interface, not normal traffic flow.  (Does any one else care to comment / correct me on this?)



Grant. . . .

Re: IP + MAC filter - wireless client

[Taylor, Grant]

> We have an AP that transmits via a omni antenna.
> 
> On the client side we have AP in client mode.
> 
> What I see that in these wireless devices we have 
> atleast two MAC address : 
> 
> 1. The lan MAC address.
> 2. The wireless MAC address.

I suppose this is normal.

> So for every client we have :
> 
> 1. The lan MAC address.
> 2. The wireless MAC address.
> 3. The ethernet MAC address.

This is contrary to everything that I know of when you are talking about Ethernet Layer 2 (802.2 Link Level Control) networking standard with hubs and switching.  If this is indeed the case I'm not sure why this is the case.

> In wireless networing when we did mac filtering
> we had to enter all three for the client to gain
> access.

What filtering were you doing?  Was it the allowed source and / or destination MAC addresses in your wireless devices?  If so you may have had to do this for the AP transceiver to allow the traffic to flow through correctly, but this does not seem like an Ethernet Layer 2 (802.2 Link Level Control) network issue but more one of wireless. 802.2 LLC specifically allows for one source and one destination MAC address in the frame.  I say 802.2 LLC because ethernet, fiber, wireless are all starting to use / have been using 802.2 LLC frames for a long time now.  This is really what is making ""ethernet so compatible with other equipment / technologies.

Have you tried to set up any iptables rules rules to match just the client MAC (and IP)?  Do you see any packets passing through that rule?

> Based on that I was wondering how would you one handle 
> these wireless clients using iptables.
> 
> Thanks

No problem.