Hack 60 MAC Filtering with Host AP

Previous page
Table of content
Next page

figs/expert.giffigs/hack60.gif

Filter MAC addresses before they associate with your Host AP.

While you can certainly perform MAC filtering at the link layer using iptables or ebtables [Hack #59], it is far safer to let Host AP do it for you. This not only blocks traffic that is destined for your network, but also prevents miscreants from even associating with your station. This helps to preclude the possibility that someone could still cause trouble for your other associated wireless clients, even if they don't have further network access.

When using MAC filtering, most people make a list of wireless devices that they wish to allow, and then deny all others. This is done using the iwpriv command.

# iwpriv wlan0 addmac 00:30:65:23:17:05 # iwpriv wlan0 addmac 00:40:96:aa:99:fd   ... # iwpriv wlan0 maccmd 1 # iwpriv wlan0 maccmd 4

The addmac directive adds a MAC address to the internal table. You can add as many MAC addresses as you like to the table by issuing more addmac commands. You then need to tell Host AP what to do with the table you've built. The maccmd 1 command tells Host AP to use the table as an "allowed" list, and to deny all other MAC addresses from associating. Finally, the maccmd 4 command boots off all associated clients, forcing them to reassociate. This happens automatically for clients listed in the table, but everyone else attempting to associate will be denied.

Sometimes, you only need to ban a troublemaker or two, rather than set an explicit policy of permitted devices. If you need to ban a couple of specific MAC address but allow all others, try this:

# iwpriv wlan0 addmac 00:30:65:fa:ca:de # iwpriv wlan0 maccmd 2 # iwpriv wlan0 kickmac 00:30:65:fa:ca:de

As before, you can use addmac as many times as you like. The maccmd 2 command sets the policy to "deny," and kickmac boots the specified MAC immediately, if it happens to be associated. This is probably nicer than booting everybody and making them reassociate just to ban one troublemaker. Incidentally, if you'd like to remove MAC filtering altogether, try maccmd 0.

If you make a mistake typing in a MAC address, you can use the delmac command just as you would addmac, and it (predictably) deletes the given MAC address from the table. Should you ever need to flush the current MAC table entirely but keep the current policy, use this command:

# iwpriv wlan0 maccmd 3

Finally, you can view the running MAC table by using /proc:

# cat /proc/net/hostap/wlan0/ap_control

The iwpriv program manipulates the running Host AP driver, but doesn't preserve settings across reboots. Once you're happy with your MAC filtering table, be sure to put the relevant commands in an rc script to run at boot time.

Note that even unassociated clients can still listen to network traffic, so MAC filtering does very little to prevent eavesdropping. To combat passive listening techniques (like we do with Kismet in [Hack #31]), you will need to encrypt your data.


Previous page
Table of content
Next page
Wireless Hacks. 100 Industrial-Strength Tips and Techniques
Wireless Hacks. 100 Industrial-Strength Tips and Techniques
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 158
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Java for RPG Programmers, 2nd Edition
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Information Dashboard Design: The Effective Visual Communication of Data
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy