APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Securing your network to specific machines

Sun Dec 19 15:11:08 2004

It's possible to lock down a network from use by rogue machines (a laptop brought in from outside, for example), but it isn't easy. See these links for passing and blocking packets by MAC address:

Bug in Linux 2.4 and IPTables MAC Match Module
Iptables MAC Address Filtering

But.. keep in mind that someone can spoof MAC addresses also. Some switches can "lock" a MAC address to a specific port, so if you have one of those, use the iptables stuff from the links above to pass only the addresses you already know. If you then can keep your all your offices and the switch under lock and key.. you might stop all but the most determined wanderers.

If you need to get more sophisticated (some machines have more access than others), combine this with DHCP that assigns specific IP addresses to specific MAC addresses. As long as you have that blocking switch, and no physical access to its ports, you can then be reasonably sure that a particular IP address really came from the machine you expected it to - or somebody drilled holes in your walls or otherwise physically compromised your network.


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Securing your network to specific machines




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Computer Science is embarrassed by the computer. (Alan Perlis)

If you just want to use the system, instead of hacking on its internals, you don't need source code. (Andrew S. Tanenbaum)







This post tagged: