iptables: mac address filtering

iptables supports MAC address rules. For example you can block a MAC address:
/sbin/iptables -A INPUT -m mac --mac-source 00:00:11:22:22:33 -j DROP
or allow a MAC address:
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m mac --mac-source 11:22:33:44:55:66 -s -j ACCEPT

However, allowing MAC addresses in iptables is NOT safe since the MAC address can be easily spoofed on all the operating systems. How should we use MAC address filtering safely? Here are some suggestions:
  1. Use MAC address rules to DROP(filter out) packets. DO NOT use MAC address rules to ACCEPT packets
  2. Use MAC address rules for LAN, e.g. a local subnet, which is considered comparably safe. DO NOT use MAC address rules for internet.


No comments:

Post a Comment