Securing your network to specific machines

© December 2004 Tony Lawrence
Sun Dec 19 15:11:08 2004

It's possible to lock down a network from use by rogue machines (a laptop brought in from outside, for example), but it isn't easy. See these links for passing and blocking packets by MAC address:

Bug in Linux 2.4 and IPTables MAC Match Module
Iptables MAC Address Filtering

But.. keep in mind that someone can spoof MAC addresses also. Some switches can "lock" a MAC address to a specific port, so if you have one of those, use the iptables stuff from the links above to pass only the addresses you already know. If you then can keep your all your offices and the switch under lock and key.. you might stop all but the most determined wanderers.

If you need to get more sophisticated (some machines have more access than others), combine this with DHCP that assigns specific IP addresses to specific MAC addresses. As long as you have that blocking switch, and no physical access to its ports, you can then be reasonably sure that a particular IP address really came from the machine you expected it to - or somebody drilled holes in your walls or otherwise physically compromised your network.

Got something to add? Send me email.

---

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us