[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


How to only permit specifical Hardware address to access internet?

Posted on 2001-08-27
Medium Priority
Last Modified: 2013-12-15
I am comming back again :)

  Still on my lovely Linux box, I want to only specifical MAC address (Ethernet address) can access our internet service, All others can't. How can I?
  And BTW, all intranet PC is use DHCP server in our Group, and I can't change this configuration. So IP/MAC correspond is unusefull here. And I do not want to change the linux kernel, Is here any tools just like "arp" Can perform this.
Question by:auther_bin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Expert Comment

ID: 6428298
I can't think of any easy way to restrict access based on MAC address. If there are only a few nodes that should have access, you might be able to talk the network administrators into giving those nodes a reserved DHCP address. That would cause those nodes to always have the same IP and that you can filter on.

Author Comment

ID: 6428886
Is here any usefull tools can do this, Like something can prevent arp snoof.

Expert Comment

ID: 6435549
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

LVL 40

Expert Comment

ID: 6440433
Okay, presumably you have some number of folks that should be able to access the Internet and the rest should not. While there isn't a decent way to restrict Internet access based on MAC addr, you can still accomplish your goal.

First you'll need to configure the DHCP server to give out reserved IP's (static reservation) to those machines used by the 'Internet users'. That way they will always get the same IP and those IP's will never be assigned to other systems by the DHCP server. Then you need to tell the gateway router or firewall, as appropriate, to permit traffic to/from those IP's and to deny Internet traffic to all others. Now that won't keep someone from manually grabbing one of the reserved IP's if the corresponding system is down, but if you are really worried about that you can use arpwatch to look for that happening. It'll tell you the MAC of the offending system and you can go jerk a knot in the offender's neck. And if you really want to get fancy you could write a perl script that would dynamically modify the router or firewall rules if such an event happened.

Expert Comment

ID: 6479462
If "Internet" means "http" (www) only, then you can just force your users to go via a "squid" proxy. Squid then can do a password authentification via the browser of the user.

This works well in our company and you don't have to worry about MACS, IPs or users changing Computers.

In a Windows network you can even use the windows password/account for authentification with smb_auth.


Accepted Solution

BlackDiamond earned 200 total points
ID: 6483733
If you're running a 2.4 kernel, you can use iptables and set up a rule base like:

iptables -A INPUT -p tcp --dport 80 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A input -p tcp --dport 80 -j DROP

This will only allow packets coming from source mac 00:11:22:33:44:55 to connect to port 80 on that machine.  Keep in mind that the mac address only applies to the local broadcast domain, so if you allow the mac address of a router (for example), then anything that is connected through that router will have access to the site (since all packets from the router will have the same mac address).

Author Comment

ID: 6491499
I know about this but hereis someother tools to work togeter.

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question