How to only permit specifical Hardware address to access internet?

Posted on 2001-08-27
Last Modified: 2013-12-15
I am comming back again :)

  Still on my lovely Linux box, I want to only specifical MAC address (Ethernet address) can access our internet service, All others can't. How can I?
  And BTW, all intranet PC is use DHCP server in our Group, and I can't change this configuration. So IP/MAC correspond is unusefull here. And I do not want to change the linux kernel, Is here any tools just like "arp" Can perform this.
Question by:auther_bin
LVL 40

Expert Comment

ID: 6428298
I can't think of any easy way to restrict access based on MAC address. If there are only a few nodes that should have access, you might be able to talk the network administrators into giving those nodes a reserved DHCP address. That would cause those nodes to always have the same IP and that you can filter on.

Author Comment

ID: 6428886
Is here any usefull tools can do this, Like something can prevent arp snoof.

Expert Comment

ID: 6435549
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 40

Expert Comment

ID: 6440433
Okay, presumably you have some number of folks that should be able to access the Internet and the rest should not. While there isn't a decent way to restrict Internet access based on MAC addr, you can still accomplish your goal.

First you'll need to configure the DHCP server to give out reserved IP's (static reservation) to those machines used by the 'Internet users'. That way they will always get the same IP and those IP's will never be assigned to other systems by the DHCP server. Then you need to tell the gateway router or firewall, as appropriate, to permit traffic to/from those IP's and to deny Internet traffic to all others. Now that won't keep someone from manually grabbing one of the reserved IP's if the corresponding system is down, but if you are really worried about that you can use arpwatch to look for that happening. It'll tell you the MAC of the offending system and you can go jerk a knot in the offender's neck. And if you really want to get fancy you could write a perl script that would dynamically modify the router or firewall rules if such an event happened.

Expert Comment

ID: 6479462
If "Internet" means "http" (www) only, then you can just force your users to go via a "squid" proxy. Squid then can do a password authentification via the browser of the user.

This works well in our company and you don't have to worry about MACS, IPs or users changing Computers.

In a Windows network you can even use the windows password/account for authentification with smb_auth.


Accepted Solution

BlackDiamond earned 100 total points
ID: 6483733
If you're running a 2.4 kernel, you can use iptables and set up a rule base like:

iptables -A INPUT -p tcp --dport 80 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A input -p tcp --dport 80 -j DROP

This will only allow packets coming from source mac 00:11:22:33:44:55 to connect to port 80 on that machine.  Keep in mind that the mac address only applies to the local broadcast domain, so if you allow the mac address of a router (for example), then anything that is connected through that router will have access to the site (since all packets from the router will have the same mac address).

Author Comment

ID: 6491499
I know about this but hereis someother tools to work togeter.

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ubuntu/Asterisk after upgrade Wav issue 19 54
Linux server cannot access samba share 12 88
Oracle 12c patching 1 59
expectj telnet failing 5 17
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now