iptables block mac

Many layer II switches are capable of this. Not quite sure what you want to achive, though. It is trivially simple to change the MAC addres of a NIC.

How, read your switch documentation!

Bogwitch.

only ppl with approved MACs can go through the router and use the net. all other MACs should be blocked.

Why? Because ppl give us their MAC and we open it up. Simple as that. (Shared College Network)

Wireshark. Grab a MAC address. Set _MY_ MAC address to the grabbed MAC address, I can get out on the router. Simple as that.

Bogwitch.

This isn't the ONLY setting preventing people from getting out through the router, it is ONE of them.

You give lots of suggestions how to break it, what about some suggestions on how to set it up?

Possible? Certainly. See

[TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K [TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K [TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K

Those documents (and there are four more covering other aspects) are older than the timestamp implies, but highly useful.

Agreed

Sure hope you people have _written_ and _published_ the rules, and that everyone knows them. You should also have approval from on high to throw out any person who violates those rules.

Not quite - two (or more) systems with the same MAC address trying to shuffle packets at the same time can get very funny. Managed switches can make it slightly more difficult, though hardly impossible.

None the less, it's virtually useless as an access control.

Encrypted proxies. Disconnect "unused" network access points so that non-registered users don't even have physical access. Monitor your mail server, and seeing that user $FOO only collects mail from a "registered" box. Also block ALL access from internal hosts through the router to the world so that they _must_ use the proxies. If you don't know how to set them up, you may want to hire someone who does.

Old guy

Possible? Yes. It's also utterly pointless and not worth the trouble of setting up and maintaining it.

iptables -m mac --help

cu

59cobalt

well how would you block out ppl then? most if not all the users here are NOT IT geeks and will never be it, they can hardly set their email servers correctly.

Old Guy covered it fairly well. Good network and change management to ensure unused network ports are not used. You can do this with MAC filtering on a switch but that does not make it good policy to control access on a router. A good logging encrypted proxy. Obviously, you have to tell your users you are logging. Any administrative servers should be completely inaccesible from the rest of the network. Clear acceptable use policy. Users MUST be made aware of what they can and can't do on your network. You must make users responsible for their actions, if not, the network OWNER may be held accountable - it would depend on the laws in your country.

Don't think for one second that because not many of your users are technically proficient that you will have no problems. You only need one technically proficient user to tell the rest of them or one inquisitive user to do the research. It sounds as though your userbase may be well versed in research.

Bogwitch.

Mainly by policy - but we also disable unused ports on our switches.

Web Results 1 - 10 of about 246 for script-kiddy-HOWTO. (0.53 seconds)

script kiddy howto /* This , Like the world is only what you perceive it to be */ Q:"How Do I Become A Hacker?" A: learn to code , install SunOS , get a SPARC , devote the ... packetstormsecurity.org/unix-humor/script-kiddy-HOWTO - 8k - Cached -

Right.

An AUP is the _FIRST_ step, and MUST BE THERE. Please remember that the Berkeley 'r' commands (rsh, rlogin, rcp, etc.) were developed at a university and have (effectively) _NO_ security, in an era when the network was sniffable by anyone, anywhere on the 500 meter long cable. The reason it wasn't a problem then is that packet sniffers were less common, and the students knew that if they were caught mucking about, they lost their computer privileges.

One must remember that the average skript kiddie has trouble typing commands with making (funny to watchers) mistakes even using something as intuitive as the pico editor. But they are following scripts written by people who know better, and the results do not match the skill of the klown running the script.

Old guy