/sbin/iptables -A INPUT -m mac --mac-source 00:00:11:22:22:33 -j DROPor allow a MAC address:
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m mac --mac-source 11:22:33:44:55:66 -s 192.168.1.0/24 -j ACCEPT
However, allowing MAC addresses in iptables is NOT safe since the MAC address can be easily spoofed on all the operating systems. How should we use MAC address filtering safely? Here are some suggestions:
- Use MAC address rules to DROP(filter out) packets. DO NOT use MAC address rules to ACCEPT packets
- Use MAC address rules for LAN, e.g. a local subnet, which is considered comparably safe. DO NOT use MAC address rules for internet.
No comments:
Post a Comment