Skip to main content

Howto Deploy Ethernet MAC Address Filtering on CommGate 3.x

  1. Download Notepad++ from http://notepad-plus.sourceforge.net/uk/site.htm to edit the following text files from a Windows PC. You can then convert the text files into Windows and UNIX modes easily.

  2. Using Notepad++, create a text file and save it as rc.firewall.macaddr in /etc/rc.d directory.

  1. Add all the Ethernet MAC Addresses into file /etc/rc.d/rc.firewall.macaddr (one MAC Address per line) to filter it via the firewall rules in the following format;

MACADDRS="\
11:22:33:44:55:66 \
aa:bb:cc:dd:ee:ff \
66:55:44:33:22:11"

Note: Please change the MAC addresses with your own.

  1. Using WinSCP3 (downloadable from http://winscp.net/eng/download.php), login to the CommGate 3.x system as user root and double-click on the following file /etc/rc.d/rc.firewall.local (Note: Save a copy of the original file for backup purposes before you edit it as a precaution).

  1. Add the customize rules to filter Ethernet MAC Address on the CommGate Shield 3.x firewall script located in /etc/rc.d/rc.firewall.local to allow traffic for authorized MAC addresses to the Internet or WAN interface (eth0).

Copy and paste these lines:

## Start of Ethernet MAC Address firewall script.
## The Ethernet Mac Address file must be located
## at "/etc/rc.d/rc.firewall.macaddr".
MACADDRS=`cat /etc/rc.d/rc.firewall.macaddr`

# This is where the IPTABLES firewall binary
# is located within the CommGate system.
IPTABLES=/sbin/iptables

# Create special table for Ethernet MAC Address

# Filtering with a table/chain name mac-allowed.
$IPTABLES -t nat -F mac-allowed 2>/dev/null
$IPTABLES -t nat -X mac-allowed 2>/dev/null
$IPTABLES -t nat -N mac-allowed

# Insert MAC address check into the
# NAT+PREROUTING table
$IPTABLES -t nat -I PREROUTING -i eth1 -j mac-allowed

# Add MAC addresses to our special table
for MAC in $MACADDRS; do
$IPTABLES -t nat -A mac-allowed -i eth1 -m mac --mac-source $MAC -j RETURN
done

# Drop all unrecognized MACs and change the
# LAN IP subnet 192.168.1.0/24 to your own
# LAN subnet. Refer to this website to
# calculate your Subnet Mask suffix as
# /24, /23, /32, etc.
$IPTABLES -t nat -A mac-allowed -i eth1 -d ! 192.168.1.0/24 -j DROP

## End of Ethernet MAC Address firewall script.


  1. Finally, check to make sure that the rc.firewall.macaddr file is uploaded to /etc/rc.d/ directory on the CommGate Shield system and restart the firewall as follow;

    service firewall restart

  2. Start testing your Internet/WAN access.

Labels:

Comments

Post a Comment

Popular posts from this blog

From Toilet Cleaner to CEO

On 22-April-2012, my entrepreneurship journey story was published by The Sunday Times in Singapore by Mr. Wong Kim Hoh
1 comment
Read more

Strategic Plan vs. Operational Plan

Strategic Plan Vs. Operational Plan: Do You Know the  5 Main Differences ? What's the difference between a Strategic Plan vs. an Operational Plan? Both are plans but are they the same? If not, what’s the difference? Do you need both? Why do we need both?  After mentoring Start-Ups from pre-revenue to achieving at least S$1M in revenues since 2012 and supporting growing Small-Medium Enterprises within the S$4M to S$10M range revenues, whose leadership teams are stuck in their day to day operational matters and fire-fighting, I hear these questions frequently.  My response: A  strategic plan  outlines your Vision, Mission, Core Values to build the Culture with high-level goals for the next 3 to 5 years. It also takes into account how you’ll measure those goals, and the major projects you’ll take on to meet them. An  operational plan  (also known as a  work plan ) is an outline of what each of your business d...
Post a Comment
Read more
Why Data Backups Are So Important Our computers, smartphones, personal digital assistants, MP3 players, operating systems, and software are tools that we use to create and manipulate the content that is the most important aspect of computing - our data. Without your personalized data, the computing experience will be mundane and very generic. We need to be able to create in order to really feel good about what we’re doing. Many times people don’t realize how important their data is until it’s too late. I have see customers whom says, why do I need to spend $3,000 on a tape backup system just to archive, copy another instance of my data and then keep it? I’ve seen way too many people treat their hard drive’s like an all-you-can-eat buffet, and they’ll just pile anything and everything that they can find into an endless collection of files and folders that will be very difficult to make sense of in the future. The whole point of technology should be to simplify our lives instead of comp...
Post a Comment
Read more