Tuesday, 5 May 2009

Perl script to block the mac address using iptables

If you want to block an IP address, the simplest way that you can do with iptables is:

iptables -I INPUT -s < your gateway's ip address > -d the < IP address you want block > -j REJECT
iptables -I INPUT -s < IP address you want to block > -d < your gateway's ip address > -j REJECT

What if the IP address for an internal network is not static i.e. DHCP server assigned IP address? The best way to block the user's activity is by Mac Address. The script published below is a Perl script that joins all the efforts in configuring iptables rules to block a MAC address of the user's computer.

print "Input IP that violates network rules:";
$ip= < stdin>;
print "\n";
print "Input Mac Address:";
$mac = < stdin>;
print "\n";
print "Input Gateway's IP:";
$gw = < stdin>;
print "\n";

`iptables -A INPUT -s $gw -m mac --mac-source $mac -j REJECT`;
`iptables -I INPUT -s $gw -m mac --mac-source $mac -j REJECT`;
`iptables -A INPUT -d $gw -m mac --mac-source $mac -j REJECT`;
`iptables -I INPUT -d $gw -m mac --mac-source $mac -j REJECT`;
`iptables -A FORWARD -d -m mac --mac-source $mac -j REJECT`;
`iptables -I FORWARD -d -m mac --mac-source $mac -j REJECT`;
`iptables -I FORWARD -s -m mac --mac-source $mac -j REJECT`;
`iptables -A FORWARD -s -m mac --mac-source $mac -j REJECT`;

#Check if the IP address is been blocked:
`tcpdump dst $ip > test.txt`;

open(FILE, "< test.txt");

$line = < FILE >;
$find = "unreachable";

if ($line =~/$find/)
print "The following IP address $ip is blocked successfully!\n";
print "The following IP address $ip is blocked UNSUCCESSFULLY!\n";


The script's below the iptables rule is used to check if you have blocked the IP address successfully. Before you execute this script, make sure that you have tcpdump installed on your computer. (note: FYI, tcpdump is a sniffer that used by system administrator to track user's activity on the gateway. Please do not use tcpdump in a illegal way.)

If you are not to sure how to find the IP address and MAC address on your gateway or linux firewall, you can use the following command:

ping < the ip address that you want to block>

By sending an ICMP packet to the IP address, you will be able to collect the info of his/her computer from the respond packet that received by your gateway if user's IP address responds. Then do an arp search by:

arp -a

This will show all the IP address the gateway collects. It takes longer for nmap to do a portscan and send the user's MAC address back to you. This method does not make any sense since you are the system administrator. If your firewall is using DHCP server, the best way for you to find the info of an IP address is by reading the leases info of DHCP server in:


You can find the MAC address easily of an user by reading dhcpd.leases file using text editor on the unix or GNU/Linux operating system or you can use the following command line

cat /var/lib/dhcp/db/dhcpd.leases | less

Have Fun!

No comments: