Dynamically Block or Unblock a user’s MAC Address


I would like to be able to dynamically (i) block a specific user's machine (MAC address) from being able to access the internet via a Gate Keeper Machine (GKM) and (ii) allow them through again.  Also, while this action is being done, I would like that there would be no disruption to the other users that are currently surfing (e.g watching Youtube; Sending and receiving  e-mail, etc.).  

My two Questions are:
(I) What is the technical name or classification of this system? So that I would know in future.
(ii) Most importantly: What are the applications etc. that I would I need to setup this system (GKM)?

GKM Details:
CentOS 5.5 with 1GB of RAM, two (2) x NICs(One for the users (LAN Switch), and the next for an ADSL router) , AMD Athlon II X2 250 Regor 3.0 GHz Dual-Core CPU; Hard Drive Space: 200GB

My Abilities:
New to setting up a router; squid; iptables; GKM.
Can program in Java and Perl, but prefer Java; working knowledge of MySQL.

Note:  Since I am new to this area, I may need some help with the configuration of the recommended solution when I am stumped.
Who is Participating?
There might be some special name for what you intend to be doing, but filtering network traffic according to specific rules (allowing or disallowing one IP or MAC address, service (port) etc.) is called firewalling.

On linux systems firewalling is done with iptables (as part of the kernel) and rules can be added/deleted/viewed with utility /sbin/iptables.

There are several pages describing iptables behaviour and you should start with them:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables - Quick HOWTO
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html   - official HOWTO
http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html   - mac filtering

I give you some hints to speed up the learning process:
In CentOS iptables rules (that are loaded after every reboot) are stored in /etc/sysconfig/iptables
For what you are doing you should be looking at FORWARD chain of filter iptables table (this chain processes every forwarded network packet).
I suggest you create a designated chain for your needs and jump to it as the first rule in FORWARD chain:
  iptables -N CHECK_MAC
  iptables -I FORWARD -j CHECK_MAC
  iptables -A CHECK_MAC -j RETURN

Then you can block specific MAC address with:
iptables -A CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

And unblock with:
iptables -D CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
Hope4UAuthor Commented:
Based on your experience:
(i) Would this method immediately block or unblock a user?
(ii) Would I have to restart a service or reboot the system?
(iii) Would it allow for the non disruption of the other users?
1. Yes, this method immediately block's a user
2. No restart of any service is necessary. Command is effective imediately.
3. Other users will not notice any change

I just noticed a typo in my first response:

The command to block a user should be:
iptables -I CHECK_MAC -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

Notice the -A (append) versus -I (insert). The wrong one adds the rule at the end of the chain and is therefore never reached. The right one inserts the rule at the beginning of the chain.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.