I cannot use iptables to allow only my mac address for AWS EC2

StackOverflow https://stackoverflow.com/questions/22420517

Question

I am currently attempting to configure iptables to only allow certain mac addresses to connect to port: 3690 (svn). Step 1 - On EC2 Management Console > Security Groups (group name: default) I opened port: 3690 for all subnet. Step 2 - On my linux server (Amazon Linux AMI 64-bit), I configured iptables: 2.1 Allow my mac address (port 3690) 2.2 Drop from all (port 3690)

[ec2-user@ip-172-31-7-2 ~]$ sudo iptables -n -L -v --line-numbers
Chain INPUT (policy ACCEPT 1974 packets, 206K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3690 MAC 50:46:5D:C7:63:C1
2        5   272 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3690

But the firewall cannot work correctly. I cannot telnet port 3690 from the mac address. If I delete the iptables, all client can access this port. Could anyone help me???

Was it helpful?

Solution

If the client and the server are not on the same IP subnet, then by definition there must be at least one router between them, so again by definition the two systems are not going to be able to detect each other's MAC address.

MAC addresses identify devices at layer 2 on their local, physical network only... while routers operate at layer 3, stripping off the incoming layer 2 address and using their own layer 2 address when sending the packet to the next router or host on the way to the destination. An incoming packet from a device on a different subnet always arrives with the MAC address of the router that delivers the packet.

What you are trying to do is not possible for machines on different subnets, and it's just as well, because MAC addresses are absolutely trivial to "spoof," making MAC address-based security nothing more than security by obscurity, which is not a meaningful level of security.

You should probably not even consider running svnserve listening on an Internet-connected machine like this. The svn+ssh:// mechanism supported by subversion does not require the server to have an always-open port listening for connections... it works with your existing ssh keys, which, assuming you haven't careleslly configured sshd to allow logins with only a password (instead of keys) are a phenomenally more secure mechanism for controlling access, not to mention automatically encrypting your traffic as it traverses the Internet.

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshauth

OTHER TIPS

Although Michael's answer is great, I would like to add a 'practical' solution.

Dome9 can automate your Firewalls and allow on-demand access to your server while 'cloaking' it from the rest of the internet. It can do so by dynamically managing your AWS security groups or by managing your iptables.

Disclaimer - I'm a proud Dome9er ;)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top