limit access through MAC address

Question

Hi-

I'm setting up a WAMP/LAMP stack on an old PC. This computer will be connected to a local network with about a dozen other PC's. I'm interested in limiting access from everyone else's computers, so that only my partner and I can access our local server. The best way, I think, to do this is to block out everyone else's MAC address (router assigns IP's automatically, so I don't want to be dependent on that). I'd like to add that I don't have access to the router's config page, so this would have to be done from the server itself.

Can anyone expand on how this is done?

Answer 1

First place to look at is your router's control panel. Usually routers (at least for wireless) allow access control based on physical addresses.

Second thing to help you is the firewall. Look for firewall which limits access by mac address (if you are using linux I'm pretty much sure it already has this capability, on my wintel I'm using Comodo Personal Firewall which allows me to filter by physical address.)

Answer 2

If you can't fiddle with the router then you have to implement restrictions on the server itself: depending on how paranoid you want to be, a few options that spring to mind are:

• Easiest - setup a VirtualHost in Apache setting the hostname to something unique that does not resolve via DNS: simply add this entry to your local hosts file and voila - anyone accessing the server via IP will get the default Apache host (welcome page).
• Middle - use mod_auth_basic to add basic (username + password via htpasswd) access to the webserver
• Hardest - add iptables rules to block all access to port 80 except from given mac's

Answer 3

linux/iptables, the sort-of blacklist way, this will drop all traffic originating from the specified mac addresses:

iptables -I INPUT 1 -m mac --mac-source <blacklisted mac 1> -j DROP
iptables -I INPUT 1 -m mac --mac-source <blacklisted mac 2> -j DROP

However, I'm not really sure if this is what you want, the mac-address isn't really a reliable method of filtering your traffic. Most modern NICs allow you to change your mac-address, and if the ip-packet that the ethernet-frame encapsulates has passed through a router, the source-mac-address on the ethernet-frame is going to be the one of the last router it passed through and not the originating computer.

I would suggest looking into mod_auth_basic or something similiar, it's much more forgiving than iptables when making mistakes. And if you do decide to go down the iptables route, I would suggest more of a whitelisting approach where iptables drop certain traffic by default and then allow through what you want.

iptables -A INPUT -p tcp --dport 80 -m mac --source <your mac> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m mac --source <your partners mac> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP