1

It is possible to create iptables rule, that allows access from outside net (behind wan eth0) from specific MAC address, to only specific IP address behind the inside adapter (safe lan eth1) ?

Model:

10.0.1.2 <- 10.0.1.1 <- FW <- 192.168.1.15 <- 08:00:00:00:01:00

SAFE LAN IP <- ROUTER LAN <- FORWARD RULE <- ROUTER WAN <- ALLOWED MAC

The router should do only the filtering. Safe lan IP's should be accessible only from hand coded outside MAC's. Perhaps on specific port. There is no need to communicate from safe lan to outside.

Purpose of this is crete safe Extra-LAN with only NAS devices, and protect them from unattended access from normal LAN through MAC addresses filter.

Peter Maly
  • 31
  • 2
  • 6
  • How do you propose to get the MAC address? These are only visible on a single link. They are not transmitted across networks. – Michael Hampton Mar 03 '18 at 20:47
  • the router should be only internal "between lans" router and connect two lans strictly - also from common lan where user pcs are, to safe area where only NAS devices are - also macs are available – Peter Maly Mar 04 '18 at 09:35

2 Answers2

1

It looks that only possible option is to use these two rules in FORWARD chain in FILTER table:

ipconfig -A FORWARD -m mac --mac-source 08:00:00:00:01:00 -j ACCEPT
 ipconfig -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  • because the lack of --mac-destiantion option in iptables

IPTABLES configuration is strict DROP to disable any other traffic:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

  • it can (should) be reconditioned with input and output interfaces, ip addresses, port numbers and such features to harden access through the FORWARD chain and also router self
Peter Maly
  • 31
  • 2
  • 6
  • first line allows only traffic from specified MAC and second line allows return of packets back to source – Peter Maly Mar 04 '18 at 11:27
  • like found here https://serverfault.com/questions/731543/iptables-filter-by-mac-on-forward-chain/899885#899885 – Peter Maly Mar 04 '18 at 11:30
0

First hit when googling "iptables allow MAC" is https://www.cyberciti.biz/tips/iptables-mac-address-filtering.html

From there:

iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

is that what you are looking for? You can extend that with the destination IP too, aka:

iptables -A INPUT -p tcp -d 10.0.1.2 --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
Tomáš Pospíšek
  • 233
  • 1
  • 7
  • this is for access to the router self. I need to access secret lan BEHIND this router. only from certified mac's and only to specific ip's in the secret lan. policy on the router is strict DROP for all INPUT OUTPUT FORWARD - also only explicit defined rules should allow specific traffic – Peter Maly Mar 04 '18 at 09:00