How to use IPTables – Ports and MAC filtering (Part 3)

In the last post I walked you through a script to create a stateful packet inspection firewall. Which allowed out-going traffic to the internet, but which blocked in-coming traffic. In this part I’m going to explain how to open up specific ports (or holes). To allow certain types of internet traffic successfully through.

 

As with the earlier articles, there are a few basic parts that rules can be filtered for. These four parts are as follows:

 

– IP Addresses: a single address (94.76.240.128), or multiple addresses in a range (94.76.240.128-150)

– Interface: eth1,ppp0,wlan0 (these are usually names of physical network ports on your computer)

– Ports: a single port (http 80) or a range of ports

– Protocols: icmp, tcp, udp, all

 

(for a detailed description, see my first article)

 

 

In the previous article I used the loopback/localhost address (127.0.0.1) for many examples (iptables –A INPUT –i lo –j ACCEPT). To expand on that idea, I will use two. Imagine you have two physical interfaces on your computer. eth1 connects to the local network and ppp0 to the ISP for internet access.

 

We could set a rule: iptables –A INPUT –i lo –j ACCEPT iptables –A INPUT –i eth1 –j ACCEPT . You wouldn’t want to allow packets on the ISP interface (ppp0). Doing so would cause internet traffic through effectively making the firewall pointless.

 

In the real world, opening up an interface fully may not be secure enough. You will likely want a bit more control over what users can access but deny others. For example lets say on the local LAN, it uses the private network of: 192.168.1.x. You have someone in the IT department that you want to allow to with an IP address of 192.168.1.10. You would append a rule: iptables –A INPUT –s 192.168.1.10 –j ACCEPT

 

To explain this rule: As previously mentioned –A means append to the Input table. The –s flag means source (the IP address allowed through). –j (jump to accept).

 

Next while you could type in single lines for each individual IP address you want to allow. If you have a lot of computers on the network, manually doing so is very tedious. A much quicker method is to type an address range instead. To do that you can use a subnet mask or use slash notation. For a working example say we wanted to allow the entire 192.168.1.0 network range, which goes from 1-254

 

Network mask: iptables –A INPUT –s 192.168.1.0/255.255.255.0 –j ACCEPT

Slash notation: iptables –A INPUT –s 192.168.1.0/24 –j ACCEPT

 

Apart from uses specific IP addresses, another method is to filter by the MAC (media access control) address. Each network interface in the world has it’s own address that is burned into the card. No two cards in the world has the same address. To do filtering via MAC address, you load the MAC module. In an earlier article if you read through them in order. You might recall that we used module “state” to filter packets based on Established and Related connections. Using Mac filtering is pretty much the same.

 

Example of MAC filter rule: iptables –A INPUT –s 192.168.1.10 –m mac –mac-source 00:50:56:c0:00:08 –j ACCEPT

 

Flag breakdown: -m mac means to load the MAC module. The –mac-source specifics the MAC addresses of the interface. Which in these examples has the IP address of: 192.168.1.10

To find out the MAC address of an interface varies depending on the OS you use. But in general you go to a command line a type in: Windows (ipconfig /all), Linux/OSX (ifconfig) for wireless interfaces you may have to use (iwconfig)

 

You might be wondering what purpose using MAC filtering is over IP addresses. If you filter with MAC as well this can help prevent people from trying to gain access by pretending to be 192.168.1.10 . I will say that there are ways for hackers to spoof MAC addresses as well. That topic is beyond the scoop of this article.

 

I will end the discussion here and cover the remaining content in the next and last article on the basics of IPtables. I would encourage experimenting with these concepts on your local home network. As well as doing further research on anything you might be unfamiliar with. With practicing you can clear out all existing rules and then type everything in by hand. Which is very useful for memorizing the various flags and options well. If you have been reading in order. You can add these new lines to the bash script & experiment that way as well.

 

Until next time, I hope you have found this article interesting.

 

 

Leave a Comment