Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Dynamically Block or Unblock a user’s MAC Address

Posted on 2010-11-27
4
Medium Priority
?
864 Views
Last Modified: 2012-05-10
Hi:

I would like to be able to dynamically (i) block a specific user's machine (MAC address) from being able to access the internet via a Gate Keeper Machine (GKM) and (ii) allow them through again.  Also, while this action is being done, I would like that there would be no disruption to the other users that are currently surfing (e.g watching Youtube; Sending and receiving  e-mail, etc.).  

My two Questions are:
(I) What is the technical name or classification of this system? So that I would know in future.
(ii) Most importantly: What are the applications etc. that I would I need to setup this system (GKM)?

GKM Details:
CentOS 5.5 with 1GB of RAM, two (2) x NICs(One for the users (LAN Switch), and the next for an ADSL router) , AMD Athlon II X2 250 Regor 3.0 GHz Dual-Core CPU; Hard Drive Space: 200GB

My Abilities:
New to setting up a router; squid; iptables; GKM.
Can program in Java and Perl, but prefer Java; working knowledge of MySQL.

Note:  Since I am new to this area, I may need some help with the configuration of the recommended solution when I am stumped.
0
Comment
Question by:Hope4U
  • 3
4 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 2000 total points
ID: 34222132
There might be some special name for what you intend to be doing, but filtering network traffic according to specific rules (allowing or disallowing one IP or MAC address, service (port) etc.) is called firewalling.

On linux systems firewalling is done with iptables (as part of the kernel) and rules can be added/deleted/viewed with utility /sbin/iptables.

There are several pages describing iptables behaviour and you should start with them:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables - Quick HOWTO
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html   - official HOWTO
http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html   - mac filtering

I give you some hints to speed up the learning process:
In CentOS iptables rules (that are loaded after every reboot) are stored in /etc/sysconfig/iptables
For what you are doing you should be looking at FORWARD chain of filter iptables table (this chain processes every forwarded network packet).
I suggest you create a designated chain for your needs and jump to it as the first rule in FORWARD chain:
  iptables -N CHECK_MAC
  iptables -I FORWARD -j CHECK_MAC
  iptables -A CHECK_MAC -j RETURN

Then you can block specific MAC address with:
iptables -A CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

And unblock with:
iptables -D CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
0
 

Author Comment

by:Hope4U
ID: 34222191
Based on your experience:
(i) Would this method immediately block or unblock a user?
(ii) Would I have to restart a service or reboot the system?
(iii) Would it allow for the non disruption of the other users?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34222359
1. Yes, this method immediately block's a user
2. No restart of any service is necessary. Command is effective imediately.
3. Other users will not notice any change

0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 2000 total points
ID: 34222363
I just noticed a typo in my first response:

The command to block a user should be:
iptables -I CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

Notice the -A (append) versus -I (insert). The wrong one adds the rule at the end of the chain and is therefore never reached. The right one inserts the rule at the beginning of the chain.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question