Issue
Screening Devices By MAC
I have been using ClearOS 6 at home for several years. I am planning to upgrade to ClearOS 7 (I know, I'm late), and I was testing the new system. While it looks good, I found something that worked on V 6 but doesn't work on V 7.
I put the following in the custom firewall rules:
#STOP ALL TRAFFIC
iptables -I FORWARD -s 192.168.1.0/8 -j DROP
#Set Host ON
iptables -I FORWARD -m mac --mac-source XX-XX-XX-XX-XX-XX -j ACCEPT
The first line would stop all traffic, and the subsequent lines would allow traffic from specific devices. This way, only the devices that I allowed would have access. I know there is an app that will control web access, I want to block ALL traffic except from devices I choose to allow.
This worked for ClearOS 6, but with ClearOS 7, the first line blocks all traffic, but the other lines have no effect. What is different? How do I get this to work with ClearOS 7?
I put the following in the custom firewall rules:
#STOP ALL TRAFFIC
iptables -I FORWARD -s 192.168.1.0/8 -j DROP
#Set Host ON
iptables -I FORWARD -m mac --mac-source XX-XX-XX-XX-XX-XX -j ACCEPT
The first line would stop all traffic, and the subsequent lines would allow traffic from specific devices. This way, only the devices that I allowed would have access. I know there is an app that will control web access, I want to block ALL traffic except from devices I choose to allow.
This worked for ClearOS 6, but with ClearOS 7, the first line blocks all traffic, but the other lines have no effect. What is different? How do I get this to work with ClearOS 7?
Share this post:
Accepted Answer
The other thing I also recommend is that before, putting rules into the custom firewall module, you try them at the command line first to check for errors. You will find that your ACCEPT rule will fail even if you put in a valid MAC address because it looks like the MAC address separator is a ":" and not a "-".
[root@server ~]# iptables -I FORWARD -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
[root@server ~]# iptables -I FORWARD -m mac --mac-source 11-22-33-44-55-66 -j ACCEPT
iptables v1.4.21: ether
Try `iptables -h' or 'iptables --help' for more information.
Note the first works but the second fails. Responses (5)
-
Accepted Answer
Nick Howitt wrote:
The other thing I also recommend is that before, putting rules into the custom firewall module, you try them at the command line first to check for errors. You will find that your ACCEPT rule will fail even if you put in a valid MAC address because it looks like the MAC address separator is a ":" and not a "-".
Note the first works but the second fails.[root@server ~]# iptables -I FORWARD -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
[root@server ~]# iptables -I FORWARD -m mac --mac-source 11-22-33-44-55-66 -j ACCEPT
iptables v1.4.21: ether
Try `iptables -h' or 'iptables --help' for more information.
That did it. I had dashes in the MAC address. When I used colons, as you suggested, it works. That was the one thing that was different. Thanks for the help.
By the way, the IP address range in my example is just an example. I am using a larger range. -
Accepted Answer
-
Accepted Answer
Here it is:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
ACCEPT tcp -- 0.0.0.0/0 10.10.15.56 tcp dpt:81
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 172.16.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
ACCEPT tcp -- 10.10.15.56 0.0.0.0/0 tcp spt:81
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »