Ask a question

634 questions

779 answers

986 comments

564 members

Ask a question
0 votes
55 views
asked ago in Networking by
Hi All,

I'm installing a RUT955 at a remote location, where the LAN port is extended outside of the building
for operational reasons (up a 60 ft tower)

My Security guy doesn't like the idea as if the external device was removed, an attacker has ethernet access
to a LAN port.

I know I can do funky things with DHCP and IP tables e.g. if the network was a /24 i could make the router .1,
the external unit a static lease .254 with a dhcp pool of 1 IPs , then block .2 to .253 with IP tables so only one ip/mac gets a valid dhcp lease. But what I would like to do is have MAC address filtering on the LAN so only the specific external device, with its correctly assigned IP can go  anywhere upstream beyond .1

I appreciate the captive portal has potential to do some blocking, but in the event of a router restart there's going to be no way for the external unit to submit login credentials.

if i cannot mac filter on LAN, whats the best way to lock the LAN ports down so only 1 external device gets upstream access please ?

Regards

BB

2 Answers

0 votes
answered ago by

Hi,

You can still use iptables to filter MAC addresses. To allow a specific MAC:

  • iptables -I INPUT -m mac --mac-source YOUR:MAC:HERE -j ACCEPT

One way to do this would be to allow 1 (or few) MAC and block everything else. These commands should do it:

  • iptables -I INPUT -s 192.168.1.0/24  -j DROP
  • iptables -I INPUT -m mac --mac-source YOUR:MAC:HERE -j ACCEPT

To make iptables rules work permanently (not disappear after reboot), enter them via the router's WebUI, Network → Firewall → Custom Rules page. However, to make sure that you don't accidentally block yourself, I would recommend testing the rules by entering them via terminal first. This way if you block yourself you can just reboot the router and regain access.

Keep in mind that I provided just one example which may not be the best for every scenario.

0 votes
answered ago by
Hi,

You could try to do this using Firewall -> Traffic Rules:

https://wiki.teltonika.lt/view/RUT955_Firewall#Traffic_Rule_Configuration