How to block specific IPs?

Hello,
I want to block specific IPs or allow specific IPs at
Ethernet level. How can i do that? I dont want those blocked IP
packets to reach IP layer instead reject them by NIC or any program
after processing Ethernet layer?
If thats not possible then is there any way to allow packets
with only specific HW address of NICs?

regards,
cranium.

kernel.lover wrote:

> Hello,
> I want to block specific IPs or allow specific IPs at
> Ethernet level. How can i do that? I dont want those blocked IP
> packets to reach IP layer instead reject them by NIC or any program
> after processing Ethernet layer?
> If thats not possible then is there any way to allow packets
> with only specific HW address of NICs?

How are you planning to determine the IP, if you don't let it reach the IP
layer?

Perhaps you'd better describe what it is you're trying to do.

kernel.lover wrote:

>Hello,
> I want to block specific IPs or allow specific IPs at
>Ethernet level. How can i do that? I dont want those blocked IP
>packets to reach IP layer instead reject them by NIC or any program
>after processing Ethernet layer?
> If thats not possible then is there any way to allow packets
>with only specific HW address of NICs?
>
>regards,
>cranium.
>
>
Iptables can reject packets based on the HW (MAC) address. Read the
firewall tutorials from http://www.netfilter.org. But remember that most
ethernet cards allow you to change their MAC address from software (in
Linux: man ifconfig), which means that a user with some IT knowledge can
pass through your firewall if he hijacks the MAC address of a computer
which has access.

Mihai

kernel.lover, vie20050401@13:35:27(CEST):
>
> I want to block specific IPs or allow specific IPs at Ethernet level.

Ethernet knows nothing about IP addresses.


> is there any way to allow packets with only specific HW address of NICs?

Yes it is. But beware that, as someone said, MAC addresses can be spoofed.


--
David Serrano

At 1 Apr 2005 03:35:27 -0800 kernel.lover wrote:
> Hello,
> I want to block specific IPs or allow specific IPs at
> Ethernet level. How can i do that? I dont want those blocked IP
> packets to reach IP layer instead reject them by NIC or any program
> after processing Ethernet layer?
> If thats not possible then is there any way to allow packets
> with only specific HW address of NICs?

Maybe ebtables will be good ?


--
z powazaniem "Don't be afraid to take a big step.
Marcin Szczepaniak You can't cross a chasm in two small jumps."
-- David Lloyd George

# to block a MAC Address
/sbin/iptables -A macblock -m mac --mac-source 00:XX:XX:XX:XX:XX -j
DROP

or ... something like this ....

#!/bin/sh

/sbin/iptales -N mac_chains

for foo in `cat /etc/macs.allowed`
do
iptables -A mac_chains -j ACCEPT -m mac --mac-source "$foo"
done

/sbin/iptables -A INPUT -p tcp -j mac_chains
/sbin/iptables -A FORWARD -p tcp -j mac_chains

and add those addresses in /etc/macs.allowed.

Raqueeb Hassan
Bangladesh