iptables 이용하여 특정 MAC 만 접속하게 하려고 하는데요?
일단 목적은 NAC 장비처럼 내부접속 통제를 하려고 합니다.
iptables 의 MASQUERADE는 되었는데, 허가 된 특정 MAC 주소만 허용하고 싶습니다.
도저히 이렇게 저렇게 해도 않되니 머리 아프네요..
eth0 은 인터넷과 연결되고, eth1 은 PC와 연결되는 스위치와 물려있는 상태 입니다.
어찌해야 할까요...도움좀 부탁드립니다.
$ cat iptables
*nat
:POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
참조:
개인적으로 Mac Address 필터하기 위하여 만들어 서버에 사용했습니다.
파일에서 읽어서 맥을 읽어 들이는 구조입니다.
#!/bin/sh # PlusGenie Ltd #set -x DB_FILE=mac_dbfile.txt DOOR=24810 # port example, 135:139 for range function filter_one { iptables $1 INPUT $2 --protocol tcp --destination-port $DOOR -m mac --mac-source $3 -j ACCEPT > /dev/null 2>&1 iptables $1 INPUT $2 --protocol tcp --source-port $DOOR -m mac --mac-source $3 -j ACCEPT > /dev/null 2>&1 iptables $1 INPUT $2 --protocol udp --destination-port $DOOR -m mac --mac-source $3 -j ACCEPT > /dev/null 2>&1 iptables $1 INPUT $2 --protocol udp --source-port $DOOR -m mac --mac-source $3 -j ACCEPT > /dev/null 2>&1 } #deny all other traffic function filter_other { iptables $1 INPUT --protocol tcp --destination-port $DOOR -j DROP iptables $1 INPUT --protocol tcp --source-port $DOOR -j DROP iptables $1 INPUT --protocol udp --destination-port $DOOR -j DROP iptables $1 INPUT --protocol udp --source-port $DOOR -j DROP } if [ ! -e $DB_FILE ]; then echo "There is no config file" exit 1 fi function setup_first_rule { echo "\n=====SETUP INIT RULES===========================" echo "Allow established sessions to receive traffic" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # We need to insert this rule before that. Since this is a lot of traffic # we'll insert it as the first rule so it's processed first. echo "\n================================================" iptables -I INPUT 2 -i lo -j ACCEPT echo "\n================================================" echo "allow incoming traffic on the default SSH port (22)" iptables -A INPUT -p tcp --dport 22 -j ACCEPT echo "\n================================================" # echo "let's allow all incoming web traffic " # iptables -A INPUT -p tcp --dport 80 -j ACCEPT } #Just check whether we already set the rules or not SETUP_DONE=0 for MAC in `cat $DB_FILE`; do if iptables -L | grep -q $MAC; then echo "checking configs" # Already add drop rules before SETUP_DONE=1 fi done # let's set up the first rule if [ $SETUP_DONE -eq 0 ]; then setup_first_rule fi for MAC in `cat $DB_FILE`; do if iptables -L | grep -q $MAC; then echo "already found in rules" else echo "\n================================================" echo "Inserting new rules" filter_one -I 4 $MAC fi done if [ $SETUP_DONE -eq 0 ]; then filter_other -A fi #Showing what we done: #iptables -L -v댓글 달기