MAC-address logging/blocking for linux iptables

January 2nd, 2003  |  Published in hardware, linux, wireless  |  5 Comments

Here’s a little script I wrote that checks incoming wireless requests for a known MAC address. I’ve been using it on my Linux gateway/router/wireless-bridge.

If it doesn’t know you, it transparent-proxies all your outgoing port 80 traffic to the local webserver’s port 81, where you could put a redirect to a polite message or something.

In my case I’d just like to put some sort of guestbook page that logs your MAC and adds it automatically to the firewall rules after you leave a comment. I don’t mind sharing my bandwidth from time to time, but I’d love to know if someone benefitted from it.

I was impressed with the power of iptables, once I got my head round it. I found an ascii-art diagram that helped me understand the flow through the various tables and targets.


  1. Steve says:

    February 18th, 2003 at 10:08 pm (#)

    I’m trying your script (forgive me, I’m a iptables newbie), and I get a “Can’t delete chainw ith references left” when the second line of the script runs. the iptables -t mangle -X maccheck part is what is failing, and I’m wondering what I’m missing. Ideas?

    You do some kewl stuff, sir. I love the mini-itx machine…

  2. Schuyler says:

    April 28th, 2003 at 9:14 am (#)

    What you’re proposing would be really easy to do with the open mode of NoCatAuth. We’re phasing out the perl version of the gateway, but the C version (“NoCatSplash”) supports open mode already, so it could be trivially hacked to redirect to a local webserver with a guestbook app. (Alternately CGI support could be added to NoCatSplash, I suppose.)

  3. Matt Biddulph says:

    April 29th, 2003 at 1:33 pm (#)

    I’ll check it out. The nocat system was the inspiration for implementing this several months ago. I read about it, downloaded it and browsed through the source. Rather than try to understand it properly and set up a system, I put this quick hack together to get an idea of whether anyone was using my open node – it wasn’t in a busy area.

  4. albert says:

    June 5th, 2003 at 1:50 am (#)


    i saw your script and i understand that it actually cause disallowed mac addresses’s packets to go to your web server.
    But is there a way where iptables can allow me to have my web server forward the packets from those disallowed mac to my host?

    as in if i have3computers
    A can talk to C only through B
    therefore all packets should go through B and B will be able to forward the packet to the distination host.

    Can iptables do that?
    Thanks in advance.

  5. Cthulhu says:

    March 24th, 2004 at 4:45 am (#)