# Allowing only specified IPs or MACs?

## The_Great_Sephiroth

I am trying to block all traffic that is not specified in an IP table or a MAC table. The reason for this is that the server runs an Asterisk SIP/H323 server and I want everything blocked EXCEPT for the wireless and LAN MACs on my laptop due to me being at various locations and needing to use Linphone from these locations. I also want all IP phones at our main office and remote office to have access. Those locations have static WAN IP addresses. Below is what I am looking at using. Please tell me what you think.

```

#!/bin/bash

# Configure IPv4 tables

iptables -F

iptables -X

iptables -Z

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -N MACS

iptables -N IPS

# IPv4 MAC filtering

iptables -A MACS -m mac --mac-source=00:11:22:33:44:55 -j ACCEPT

iptables -A MACS -m mac --mac-source=00:AA:BB:CC:DD:EE -j ACCEPT

iptables -A MACS -j RETURN

# IPv4 IP address filtering

iptables -A IPS -s 192.168.0.1 -j ACCEPT

iptables -A IPS -s 192.168.0.2 -j ACCEPT

iptables -A IPS -j RETURN

# IPv4 firewall

iptables -t filter -A INPUT -j MACS

iptables -t filter -A INPUT -j IPS

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -f -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT

iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

# Configure IPv6 firewalling

ip6tables -F

ip6tables -X

ip6tables -Z

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT

```

I changed the MACs and the two IPs to protect them, but you get the idea.

----------

## Roman_Gruber

macs are kinda useless as you can spoof those.

ip adresses can also be choosen freely.

I assume this covers the topic iptables, so you may choose a better title which starts with iptables...

 *Quote:*   

> me being at various locations a

 

Well i am not htat interested in networks. but afaik those are send in the ip layer, and when i listen to that communication i can later spoof it and reuse it, so rather useless.

you better aim for a proper handshake / protocol which ensures the partners are the real partners...

----------

## gordonb3

That set of rules won't do it. This will grant full access to the named MACs en IPs and allow acces to ssh and SIP to everyone else.

It is also quite pointless, because except for in your own home you will be masqueraded in practically every location that gives you internet access. And apart from your work offices you will not only not know what IP and/or MAC you will be using, but other people behind that same router/firewall will have access too. What you need is a mechanism that allows you to identify yourself to be given access. A lightweight method for this is a technique called "knocking", where you hit a specific sequence of TCP ports within a given time frame, but what you really want is a VPN.

----------

## The_Great_Sephiroth

This has to be possible somehow. How else would SIP providers like Nextiva be able to do it? We need a solution here. Others do it, so we need to be able to do it. For now, I have blocked everything except out office with this setup.

```

#!/bin/bash

# Configure IPv4 tables

iptables -F

iptables -X

iptables -Z

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -N ALLOWED

# IPv4 MAC/IP filtering

iptables -A ALLOWED ! -s 123.456.789.012 -j REJECT

iptables -A ALLOWED -j RETURN

# IPv4 firewall

iptables -t filter -A INPUT -j ALLOWED

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -f -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT

iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

# Configure IPv6 firewalling

ip6tables -F

ip6tables -X

ip6tables -Z

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT

```

This should instantly reject any connection not at our main office, and then filter connections being made from our main office. Does this make more sense than before?

----------

## gordonb3

Sure it is possible. But if you want to guard yourself against people spoofing IPs or MACs iptables alone is not going to do it.

You could probably investigate if that SIP server provides any means for this. Like a callback function that lets the server connect to you on your request.

----------

