Media Access Control (MAC) address filtering is a well-known method for protecting wireless networks. This type of filtering works on the default deny principle: you specify the hosts that are allowed to connect, while leaving unknown ones behind.
MAC addresses are unique 48-bit numbers that have been assigned to every Ethernet device that has ever been manufactured, including 802.11 devices, and are usually written as six 8-bit hexadecimal digits separated by colons.
In addition to Linux’s native IP packet filtering system, Netfilter contains MAC address filtering functionality. While many of the wireless access points on the market today already support this, there are many older ones that do not.
MAC filtering is also important if your access point is actually the Linux machine itself, using a wireless card. If you have a Linux-based firewall already set up, it’s a trivial modification to enable it to filter at the MAC level.
MAC address filtering with iptables is much like IP-based filtering and is just as easy to do.
The following example demonstrates how to allow a particular MAC address if your firewall policy is set to DROP:
MAC Filtering Network Security
UNIX> iptables -A FORWARD -m state --state NEW -m mac
--mac-source 00:DE:AD:BE:EF:00 -j ACCEPT
This command allows any traffic sent from the network interface with the address 00:DE:AD:BE:EF:00. Using rules like this along with a default deny policy enables you to create a whitelist of the MAC addresses that you want to allow through your gateway.
To create a blacklist, you can employ a default accept policy and change the MAC address matching rule’s target to DENY.
Next» ARP Spoofing Countermeasure Using arpwatch