How to only permit specifical Hardware address to access internet?

I am comming back again :)

  Still on my lovely Linux box, I want to only specifical MAC address (Ethernet address) can access our internet service, All others can't. How can I?
  And BTW, all intranet PC is use DHCP server in our Group, and I can't change this configuration. So IP/MAC correspond is unusefull here. And I do not want to change the linux kernel, Is here any tools just like "arp" Can perform this.
Who is Participating?
BlackDiamondConnect With a Mentor Commented:
If you're running a 2.4 kernel, you can use iptables and set up a rule base like:

iptables -A INPUT -p tcp --dport 80 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A input -p tcp --dport 80 -j DROP

This will only allow packets coming from source mac 00:11:22:33:44:55 to connect to port 80 on that machine.  Keep in mind that the mac address only applies to the local broadcast domain, so if you allow the mac address of a router (for example), then anything that is connected through that router will have access to the site (since all packets from the router will have the same mac address).
I can't think of any easy way to restrict access based on MAC address. If there are only a few nodes that should have access, you might be able to talk the network administrators into giving those nodes a reserved DHCP address. That would cause those nodes to always have the same IP and that you can filter on.
auther_binAuthor Commented:
Is here any usefull tools can do this, Like something can prevent arp snoof.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Okay, presumably you have some number of folks that should be able to access the Internet and the rest should not. While there isn't a decent way to restrict Internet access based on MAC addr, you can still accomplish your goal.

First you'll need to configure the DHCP server to give out reserved IP's (static reservation) to those machines used by the 'Internet users'. That way they will always get the same IP and those IP's will never be assigned to other systems by the DHCP server. Then you need to tell the gateway router or firewall, as appropriate, to permit traffic to/from those IP's and to deny Internet traffic to all others. Now that won't keep someone from manually grabbing one of the reserved IP's if the corresponding system is down, but if you are really worried about that you can use arpwatch to look for that happening. It'll tell you the MAC of the offending system and you can go jerk a knot in the offender's neck. And if you really want to get fancy you could write a perl script that would dynamically modify the router or firewall rules if such an event happened.
If "Internet" means "http" (www) only, then you can just force your users to go via a "squid" proxy. Squid then can do a password authentification via the browser of the user.

This works well in our company and you don't have to worry about MACS, IPs or users changing Computers.

In a Windows network you can even use the windows password/account for authentification with smb_auth.

auther_binAuthor Commented:
I know about this but hereis someother tools to work togeter.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.