LAN MAC filtering - Possible with ebtables ???

Discussion in 'Networking Issues' started by 4EverGreen, Jan 19, 2006.

  1. 4EverGreen

    4EverGreen Network Guru Member


    I first posted this on the DD-WRT forum, but now I realize that this forum is more apropriate.

    In short :
    "In the Web GUI we can setup a list of authorized MACs that can access the Wireless network, but we can't do the same for the wired network ...
    In the Access Restrictions tab we can deny access to the WAN to a pre-defined set of MACs ... but we have to know them first .... "

    So, it would be really nice if we could block access to WAN to ALL MACs except for those specified (in a list ?)

    Following Mr_X tip in that post, it seems that eptables would do the trick ... :D

    The problem is that I'm not up to the task of dealing with iptables/ebtables commands. :(

    Like I told in that post :
    "I believe that we can easily create 'strange' routing behaviors when we start to play around with iptables/ebtables commands without knowing much about it ...

    On the other hand, I have the feeling that the solution can be acomplished with a few ebtables commands, and that it would be a piece of cake for some of this forums experts ... "

    Bottom line :
    Can someone help in creating a set of ebtables commands to achieve this ? Pleeeeeaaaaase ??? :)

    I bet that if this would be possible, many people around here would be interested ... :thumb:
  2. 4EverGreen

    4EverGreen Network Guru Member

    I've been 'googling' around, and came up with the following :

    ebtables -A FORWARD -p IPv4 --ip-src -s ! xx:xx:xx:xx:xx:xx -j DROP
    ebtables -A FORWARD -p IPv4 --ip-src -s ! xx:xx:xx:xx:xx:xx -j DROP
    ebtables -A FORWARD -p IPv4 --ip-src -s ! xx:xx:xx:xx:xx:xx -j DROP
    .... etc

    Having in mind that in my network :
    - I know all my users MACs (wireless & wired);
    - DHCP is disabled. I assign static IP to all clients.
    - My goal is not a high level security setup ... I just want to block average users to connect to WAN without my knowledge or authorization.

    I think that with this simple ebtable command :
    - I can make sure that each static assigned IP belongs to its legitim MAC ;
    - Any other MAC address traffic will be ignored.

    Can anyone who knows ebtables commands confirm if this is valid ?
    An also how should this commands be entered in DD-WRT v23 final ?
    Should I paste the command one at a time and 'Save Firewall' ?
    Or should I paste all the commands in sequence and only then 'Save Firewall' ?

    Thanks !
  3. 4EverGreen

    4EverGreen Network Guru Member

    I gave it a better thought and I'm wondering if :
    ebtables -A FORWARD -p IPv4 --ip-src -s ! xx:xx:xx:xx:xx:xx -j DROP
    command will be enough ... :???:

    Truth is I'm not sure if I well understood it ... Not sure if it is enough to make the firewall to ignore all other traffic ...

    Does anybody knows ?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice