Hi

I am using iptables for my firewall on this server which is meant to act as
a samba file server for a bunch of windows xp machines (any good references
for that, I have seen the the uky.edu link ?), and a mailserver.

I wish to limit ssh and samba access to this machine based on the MAC
address of machines. The problem is that all these machines get their IP
address via DHCP from some other server, so I cannot use their current IP
addresses to write the rule.

Is the above possible ? If so, how ?

Thanks.

On Tue, 01 Mar 2005 18:56:48 -0500, Madhusudan Singh staggered into the
Black Sun and said:
> I am using iptables for my firewall on this server which is meant to
> act as a samba file server for a bunch of windows xp machines. I wish
> to limit ssh and samba access to this machine based on the MAC address
> of machines. The problem is that all these machines get their IP
> address via DHCP from some other server, so I cannot use their current
> IP addresses to write the rule.
>
> Is the above possible ? If so, how ?

"man iptables" suggests:

--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
coming from an Ethernet device and entering the PREROUTING, FOR-
WARD or INPUT chains

....combine a bunch of those with the destination-ports you wish to allow
and -j ACCEPT , you're in business. Hope the MACs don't change. HTH,

--
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
Brainbench MVP for Linux Admin / mail: TRAP + SPAN don't belong
http://www.brainbench.com / Hire me!
-----------------------------/ http://crow202.dyndns.org/~mhgraham/resume

Madhusudan Singh wrote:
> Hi
>
>
> I wish to limit ssh and samba access to this machine based on the MAC
> address of machines. The problem is that all these machines get their IP
> address via DHCP from some other server, so I cannot use their current IP
> addresses to write the rule.

if you use dnsmasq as dhcp/dns server, you can bind MAC-adresses to
ip-numbers.
so, the machines that must be able to use certain ports, can be given
allways the same ip.

just take a look at /etc/dnsmasq.conf.
it has many examples.

cashmir

cashmir wrote:

> Madhusudan Singh wrote:
>> Hi
>>
>>
>> I wish to limit ssh and samba access to this machine based on the MAC
>> address of machines. The problem is that all these machines get their IP
>> address via DHCP from some other server, so I cannot use their current IP
>> addresses to write the rule.
>
> if you use dnsmasq as dhcp/dns server, you can bind MAC-adresses to
> ip-numbers.
> so, the machines that must be able to use certain ports, can be given
> allways the same ip.
>
> just take a look at /etc/dnsmasq.conf.
> it has many examples.
>
> cashmir

Sorry if I did not make it amply clear in my initial post. I have no control
over the DHCP server.

http://www.samba.org is a good reference for SAMBA

To filter based on MAC address, use the --mac-source option to iptables. It
should be pointed out that the MAC address is spoofable (it can be set by
the user), so user-based authentication is a better idea.

Madhusudan Singh wrote:

> Hi
>
> I am using iptables for my firewall on this server which is meant to act
> as a samba file server for a bunch of windows xp machines (any good
> references for that, I have seen the the uky.edu link ?), and a
> mailserver.
>
> I wish to limit ssh and samba access to this machine based on the MAC
> address of machines. The problem is that all these machines get their IP
> address via DHCP from some other server, so I cannot use their current IP
> addresses to write the rule.
>
> Is the above possible ? If so, how ?
>
> Thanks.

--
Remove '.nospam' from e-mail address to reply by e-mail