Skip to main content

Howto Deploy Ethernet MAC Address Filtering on CommGate 3.x

  1. Download Notepad++ from http://notepad-plus.sourceforge.net/uk/site.htm to edit the following text files from a Windows PC. You can then convert the text files into Windows and UNIX modes easily.

  2. Using Notepad++, create a text file and save it as rc.firewall.macaddr in /etc/rc.d directory.

  1. Add all the Ethernet MAC Addresses into file /etc/rc.d/rc.firewall.macaddr (one MAC Address per line) to filter it via the firewall rules in the following format;

MACADDRS="\
11:22:33:44:55:66 \
aa:bb:cc:dd:ee:ff \
66:55:44:33:22:11"

Note: Please change the MAC addresses with your own.

  1. Using WinSCP3 (downloadable from http://winscp.net/eng/download.php), login to the CommGate 3.x system as user root and double-click on the following file /etc/rc.d/rc.firewall.local (Note: Save a copy of the original file for backup purposes before you edit it as a precaution).

  1. Add the customize rules to filter Ethernet MAC Address on the CommGate Shield 3.x firewall script located in /etc/rc.d/rc.firewall.local to allow traffic for authorized MAC addresses to the Internet or WAN interface (eth0).

Copy and paste these lines:

## Start of Ethernet MAC Address firewall script.
## The Ethernet Mac Address file must be located
## at "/etc/rc.d/rc.firewall.macaddr".
MACADDRS=`cat /etc/rc.d/rc.firewall.macaddr`

# This is where the IPTABLES firewall binary
# is located within the CommGate system.
IPTABLES=/sbin/iptables

# Create special table for Ethernet MAC Address

# Filtering with a table/chain name mac-allowed.
$IPTABLES -t nat -F mac-allowed 2>/dev/null
$IPTABLES -t nat -X mac-allowed 2>/dev/null
$IPTABLES -t nat -N mac-allowed

# Insert MAC address check into the
# NAT+PREROUTING table
$IPTABLES -t nat -I PREROUTING -i eth1 -j mac-allowed

# Add MAC addresses to our special table
for MAC in $MACADDRS; do
$IPTABLES -t nat -A mac-allowed -i eth1 -m mac --mac-source $MAC -j RETURN
done

# Drop all unrecognized MACs and change the
# LAN IP subnet 192.168.1.0/24 to your own
# LAN subnet. Refer to this website to
# calculate your Subnet Mask suffix as
# /24, /23, /32, etc.
$IPTABLES -t nat -A mac-allowed -i eth1 -d ! 192.168.1.0/24 -j DROP

## End of Ethernet MAC Address firewall script.


  1. Finally, check to make sure that the rc.firewall.macaddr file is uploaded to /etc/rc.d/ directory on the CommGate Shield system and restart the firewall as follow;

    service firewall restart

  2. Start testing your Internet/WAN access.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

OpenProj - FREE alternative to Microsoft Project I wanted to share with all of you about Projity's important announcement last week at LinuxWorld. Projity announced the release of OpenProj, a FREE (yeah, another FREE software) and open source replacement of Microsoft Project. OpenProj is available on Windows, Linux, Unix or Mac and is interoperable with Microsoft Project. The best thing is, it even opens existing MS Project files! How cool is that? I read on OpenProj website that OpenProj has been downloaded on an average every 35 seconds around the clock at http://www.projity.com since they launched and made the software available last week. OpenProj is now in the 99.99th percentile for activity on Sourceforge.net and is quickly becoming one of the most used open source solutions worldwide. The OpenProj folks are expecting about 11 million worldwide users and in my opinion, this has been an excellent start for them. MS Project has been a key strategic solution for Micro...
1 comment
Read more

Keep your mail servers off blacklisting sites

Keep your mail servers off blacklisting sites and avoid being flagged as spam! by Moonshi Mohsenruddin, CEO CommGate, Inc. Greetings! This blog will be shared by my fellow team mates - Mr. Tan Hock Chye, Technical Manager, Mr. Ramesh Raman, Chief Technology Officer and Mr. Abhik Biswas, Chief Marketing Officer of CommGate. We will be posting alternately, in attempt to bring mind blowing technology thoughts to you on a regular basis. If you would like to read more about who we are and what we do, please do check out our profile on our corporate website. These days, it seems like every other email servers/hosts are tightening the screws on their email servers just a little bit more in order to battle against spam and viruses. Generally speaking, having more servers out there tightening their security and policies is a good thing. However, if you do not follow some basic precautions on your own email server(s), valid email from your hosted email domains may start to be flagged as spam...
Post a Comment
Read more

High-speed wireless video transfers 100X faster than WiFi

IBM is looking to change the way you watch video. The company today is announcing microprocessor chipsets that can wirelessly transmit high-definition video between computers, televisions and handheld devices in the time it takes to push the Play button. IBM will do this by teaming with MediaTek to launch a joint initiative to develop these ultra fast chipsets that will let users rid their homes and offices of the cumbersome wires needed to connect their HD-TVs to set top boxes and or other devices. The companies will be developing millimeter wave (mmWave) radio technology -- the highest frequency portion of the radio spectrum -- 60 gigahertz rather than 2.4 gigahertz -- and digital chipsets that enable at least 100 times higher data rates than current Wi-Fi standards, IBM said in a release. Users could upload a 10 gigabyte file in five seconds with the new technology versus 10 minutes using current Wi-Fi technology. mmWave wireless technology can be widely used at home and...
Post a Comment
Read more