When I was visiting recently, I needed to have my MAC address added to your firewall configuration to be allowed to access your network, how did you do this?

The simple answer to this question is that I actually use Shorewall running on my Debian-based router. It has a maclist configuration file with a layout that looks like:

eth0  00:50:22:E7:3A:B2  192.168.1.2    # usajii
eth0  00:0F:EA:B3:A9:64  192.168.1.101 # tachan
eth0  00:06:5B:E5:6F:BD  192.168.1.102 # binky

Of course, I also only give DHCP addresses to registered mac’s as well, and ensure that the address corresponds to the host it is assigned. I haven’t automated the update of both Shorewall and DHCP configuration files, yet. That’s something thats on that extremely long to-do list of mine!

So, DHCP configuration for these hosts (just for interest) looks like:

host usajii { hardware ethernet 00:50:22:E7:3A:B2;
                 fixed-address usajii.home;
                 server-name "usajii.home"; }

host binky  { hardware ethernet 00:06:5B:E5:6F:BD;
                  fixed-address binky.home;
                  server-name "binky.home"; }

You don’t want to run Shorewall? That’s fine. It’s still possible of course. I am just particularly fond of the way that Shorewall works. I like it’s flexibility and general approach to doing things, so I use it. If you prefer raw iptables or something else, good, go for it. Here’s how to do it with pure iptables:

# iptables -A INPUT -i eth0 -m state --state NEW -j macfilter
# iptables -A macfilter -s 192.168.1.101 
        -m mac --mac-source 00:0F:EA:B3:A9:64 -j RETURN
# iptables -A macfilter -s 192.168.1.102 
        -m mac --mac-source 00:06:5B:E5:6F:BD -j RETURN
# iptables -A macfilter -j REJECT

You would have to change the INPUT rule to insert the rule in a relevant spot in your INPUT chain, you probably don’t want it below a rule that rejects everything first! (check the manpage for iptables for how to do that one). You can leave out the –state and -m options if you want to check every packet, but I feel safe enough only checking the first packet of every connection the host makes, you don’t really need to check every packet sent for a 800Mb samba transfer for instance!

The following rules instruct iptables to ‘return’ to the calling chain (the chain which used -j to jump to the macfilter chain), so these packets get processed by the upcoming rules.

If the packet manages to fall through all the rules granting a ‘return’ it hits a ‘REJECT’ rule, which will reject all packets that get to that point. You could be mean and ‘DROP’ them instead, or you may wish to insert some logging prior to it:

iptables -A maclist -j LOG --log-prefix "MAC Filter:" --log-level 7

You will want that before the ‘REJECT’ rule, otherwise the packet will get rejected before it gets logged, and therefore not get logged.

If you don’t want to restrict particular mac addresses to particular IPs you don’t have to. You can leave the IP section out of both styles - the shorewall config is happy without them and so is the raw iptables way, e.g.:

# iptables -A macfilter -m mac --mac-source 00:06:5B:E5:6F:BD -j RETURN

Hope this helps you secure your network a little further.

The reason I originally setup mac filtering on my network was for my wireless subnet, which isn’t up and running at the moment, but I expanded the idea to be the whole network when I started sharehousing and not being sure I could trust just anyone plugging into the network.