WEBVTT 00:01.390 --> 00:02.270 Welcome back. 00:02.650 --> 00:09.610 If you want to make space based on a source Mac address, use the minus Mac match option. 00:10.270 --> 00:18.130 Note that you can filter Ethernet or wireless traffic only by source Mac address and not by destination 00:18.130 --> 00:19.030 Mac address. 00:19.600 --> 00:22.290 This mix could be very useful sometimes. 00:22.570 --> 00:29.980 Imagine you have a server in your local network and want to allow only a list of trusted machines to 00:29.980 --> 00:33.250 access the services that are running on the server. 00:34.030 --> 00:41.050 Or you have one network out there that are running Linux and want only the corporate devices to access 00:41.050 --> 00:41.830 the Internet. 00:42.250 --> 00:48.410 Or in other words, you don't allow devices that are not yours or trusted in your network. 00:49.060 --> 00:54.810 Keep in mind that Mac addresses are only valid inside the local area network. 00:55.150 --> 01:02.470 The first router towards destination will change the source Mac address of the packet with its own Mac 01:02.470 --> 01:06.820 address, the Mac address of its outgoing interface. 01:08.450 --> 01:16.580 Also, note that you cannot impose a strong security policy based on a Mac addresses because Mac addresses 01:16.730 --> 01:18.410 can be spoofed easily. 01:19.420 --> 01:26.530 When we want to make Becket's by sauce Mac address, we use minus M Mac match. 01:27.620 --> 01:35.780 In this example, we are dropping any incoming packets, it's the input chain that are coming on double 01:35.780 --> 01:40.970 YULAN zero interface and have that given sauce Mac address. 01:42.260 --> 01:50.340 Let's see two more use cases, the first task is to drop incoming packets that are coming with a specified 01:50.360 --> 01:56.600 Mac address and to the second task is to configure the network out there, which, of course, is running 01:56.600 --> 02:04.110 Linux to permit the access to the Internet only to a list of trusted devices or a Mac addresses. 02:04.520 --> 02:06.050 Let's do the first task. 02:07.080 --> 02:14.370 I'll drop all incoming traffic to Linux one if the source Mac address is the of Linux to. 02:15.540 --> 02:23.790 Mack belongs to Latu, so if you are dropping by Mac address, you are dropping all protocols like IP, 02:23.790 --> 02:26.650 ICMP, Tsipi, UDP and so on. 02:27.540 --> 02:32.850 First, I want to test whether the connection between Linux too and Linux one is up. 02:41.360 --> 02:42.950 Perfect Binky's porking. 02:44.670 --> 02:47.870 Let's see what is the Mac address of Linux to. 02:51.020 --> 02:54.500 This is the Mac address, and I'll copy it to the clipboard. 02:58.070 --> 03:07.130 And only to I'll write the VIP table, single IP tables, minus a both incoming traffic, minus Mac 03:07.520 --> 03:13.430 minus minus MC minus source and I'll paste the Mac address. 03:15.550 --> 03:16.780 Minus A.J. drop. 03:21.160 --> 03:22.990 Let's bring this host again. 03:24.980 --> 03:28.090 We notice that pink is not working anymore. 03:29.180 --> 03:35.900 I am stopping the Pink comment back on Linux, one at to the viral. 03:38.310 --> 03:46.290 And we see a lot of mixed and dropped packages, all packages that have this source Mac address will 03:46.290 --> 03:46.800 be dropped. 03:48.050 --> 03:54.110 Let's move on and to do the second task, I'm going to create the script and the writer there, all 03:54.110 --> 03:56.280 the necessary IP tables is. 04:02.310 --> 04:08.280 As in all other examples at the beginning of the script, I am flashing the Ferragut chain. 04:11.020 --> 04:18.910 Because there could be tens of Mac addresses that I must permit, I'll define a new variable and store 04:18.940 --> 04:22.000 those Mac addresses that variable. 04:23.320 --> 04:28.300 So this is the name of my new variable palmitate, Max. 04:29.490 --> 04:30.240 Equals. 04:32.360 --> 04:36.440 And a list of Mac addresses separated by comma. 04:40.260 --> 04:47.070 The first Mac address, the second Mac address, the third and so on. 04:48.260 --> 04:53.360 I'll exchange something at each Mac address to have different addresses. 05:00.780 --> 05:08.700 It's good practice to write a variable in uppercase letters don't use spaces on the left and the right 05:08.700 --> 05:13.260 side of the equals sign and use the white space between addresses. 05:14.730 --> 05:22.680 Now, using a for loop, I'll iterate over the list of Mac addresses and to run an IP table for each 05:22.680 --> 05:23.760 Mac embellished. 05:23.940 --> 05:31.770 So for Mac, this is a temporary variable in dialer permitted Macs. 05:36.310 --> 05:46.870 Do and done between two and done we have the four block of code, so IP table is minus a forward, remember 05:46.870 --> 05:58.180 that we are out there minus EMAC, minus minus make minus source $ MC minus J accept. 05:59.560 --> 06:03.090 And I'll print out a message to know what the script is doing. 06:03.520 --> 06:06.490 Echo thalamic permitted. 06:08.650 --> 06:16.210 And finally, I'll set the policy to drop on the Forbath chain, so all other packages that are not 06:16.210 --> 06:17.920 accepted will be dropped. 06:18.400 --> 06:22.820 Hyperboles minus B forward drop. 06:24.340 --> 06:24.910 Perfect. 06:26.410 --> 06:27.970 I am saving the Firehole. 06:28.540 --> 06:33.670 Then I'll make it executable and run it. 06:36.300 --> 06:40.620 We see how these four Mac addresses have been permitted. 06:41.910 --> 06:48.240 Only the packets from devices with those Mac addresses can access the Internet. 06:50.900 --> 06:58.280 This kind of script is useful also for a local server, if you want a server to be accessed only by 06:58.280 --> 07:03.470 a list of trusted hosts, you just replace the machine by the input chain. 07:05.280 --> 07:12.120 When you want to add or to remove a Mac address from the list, you simply remove that address from 07:12.120 --> 07:15.200 the list, save the script and run it again. 07:17.860 --> 07:19.810 I have removed two addresses. 07:21.740 --> 07:26.510 Sorry, I have noticed a small error here is the chain, not input. 07:29.120 --> 07:37.460 OK, I am saving the script and then run it again now, only these two Mac addresses are permitted. 07:42.360 --> 07:47.790 You see that it's very easy to add or to remove Mac addresses from the list.