On CentOS 4.5, How to Masquerade a connection using MAC address?

Question

Currently we give Internet access using ip address in our firewall script as follows

 iptables -t nat -A POSTROUNTING -s 192.168.1.40 -j MASQUERADE

But we have noticed that some guys steal these ip addresses after office hours to browse personal stuff.

To make these things bit more difficult, I want to grant permissions using MAC address. So these people will find new way to break the system and will learn more about networking.

@BartDeVos Not quite true. If you set up a virtual adapter, you can change your MAC address. You can also change it on some NICs — Tom O'Connor, Jan 18 '12 at 11:38

score 4 · Answer 1 · answered Jan 18 '12 at 11:46

4

Personally I think this is a HR issue not a technical one, as sysadmins we have enough to deal with keeping externals getting in without staff gaming the system to do the opposite.

You could put all manner of technical solutions in place and be constantly playing catch-up with them but I think you'd be better letting the HR department deal with this, one good kicking from them will stop these guys dead in their tracks.

answered Jan 18 '12 at 11:46

Chopper3

101,299
9
108
239

I never thought it was a HR problem but you may be right it can be more to do with discipline and maturity. Anyway but for me I must face this challenge that's why I seek your help. – Silkograph Jan 18 '12 at 12:45
As geeks we have a natural instinct to try to fix problems in geeky ways but I'm a bit older than the average SF user here and have seen lots of problems get WORSE by trying to fix them with technology rather than taking that step back and spotting that this is a people problem - and that's not your job at all. – Chopper3 Jan 18 '12 at 12:50

score 2 · Answer 2 · answered Jan 18 '12 at 13:14

You keep flipping between talking about users and client devices in your question - so it's impossible to infer whether your security policy is to restrict access by user or by client device or by some combination. We can't really comment on how you should implement your security policy when we don't know what this is.

If you want to control who has access to the internet and which client machines can access the internet, then static rules restricting IP addresses (or mac addresses) on the firewall is no solution. There are lots of different ways to solve the problem and these should be obvious.

Having said that, you've got a much more fundamental issue than your firewall configuration - your users think they can flout the security policy at your site with impunity.

Appreciate your answer. But I am expecting a solution which is more technical than philosophical. But at the same time, I am ready to learn my basics if I get right direction. — Silkograph, Jan 19 '12 at 09:33

score 0 · Answer 3 · answered Jan 18 '12 at 17:56

0

Adding lines below to filter rule could help restricting your masquerade.

-A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
...
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

answered Jan 18 '12 at 17:56

kamae

123
4

OK, this sounds better solution, though I have not understood REJECT rule. I will try to dig this through. Thanks a lot. – Silkograph Jan 19 '12 at 10:40

On CentOS 4.5, How to Masquerade a connection using MAC address?

3 Answers3