Solved

Dynamically Block or Unblock a user’s MAC Address

Posted on 2010-11-27
4
845 Views
Last Modified: 2012-05-10
Hi:

I would like to be able to dynamically (i) block a specific user's machine (MAC address) from being able to access the internet via a Gate Keeper Machine (GKM) and (ii) allow them through again.  Also, while this action is being done, I would like that there would be no disruption to the other users that are currently surfing (e.g watching Youtube; Sending and receiving  e-mail, etc.).  

My two Questions are:
(I) What is the technical name or classification of this system? So that I would know in future.
(ii) Most importantly: What are the applications etc. that I would I need to setup this system (GKM)?

GKM Details:
CentOS 5.5 with 1GB of RAM, two (2) x NICs(One for the users (LAN Switch), and the next for an ADSL router) , AMD Athlon II X2 250 Regor 3.0 GHz Dual-Core CPU; Hard Drive Space: 200GB

My Abilities:
New to setting up a router; squid; iptables; GKM.
Can program in Java and Perl, but prefer Java; working knowledge of MySQL.

Note:  Since I am new to this area, I may need some help with the configuration of the recommended solution when I am stumped.
0
Comment
Question by:Hope4U
  • 3
4 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 34222132
There might be some special name for what you intend to be doing, but filtering network traffic according to specific rules (allowing or disallowing one IP or MAC address, service (port) etc.) is called firewalling.

On linux systems firewalling is done with iptables (as part of the kernel) and rules can be added/deleted/viewed with utility /sbin/iptables.

There are several pages describing iptables behaviour and you should start with them:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables - Quick HOWTO
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html   - official HOWTO
http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html   - mac filtering

I give you some hints to speed up the learning process:
In CentOS iptables rules (that are loaded after every reboot) are stored in /etc/sysconfig/iptables
For what you are doing you should be looking at FORWARD chain of filter iptables table (this chain processes every forwarded network packet).
I suggest you create a designated chain for your needs and jump to it as the first rule in FORWARD chain:
  iptables -N CHECK_MAC
  iptables -I FORWARD -j CHECK_MAC
  iptables -A CHECK_MAC -j RETURN

Then you can block specific MAC address with:
iptables -A CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

And unblock with:
iptables -D CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
0
 

Author Comment

by:Hope4U
ID: 34222191
Based on your experience:
(i) Would this method immediately block or unblock a user?
(ii) Would I have to restart a service or reboot the system?
(iii) Would it allow for the non disruption of the other users?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34222359
1. Yes, this method immediately block's a user
2. No restart of any service is necessary. Command is effective imediately.
3. Other users will not notice any change

0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 500 total points
ID: 34222363
I just noticed a typo in my first response:

The command to block a user should be:
iptables -I CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

Notice the -A (append) versus -I (insert). The wrong one adds the rule at the end of the chain and is therefore never reached. The right one inserts the rule at the beginning of the chain.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now