Wireless Hacks

Hack 60 MAC Filtering with Host AP

Filter MAC addresses before they associate with your Host AP.

While you can certainly perform MAC filtering at the link layer using iptables or ebtables [Hack #59], it is far safer to let Host AP do it for you. This not only blocks traffic that is destined for your network, but also prevents miscreants from even associating with your station. This helps to preclude the possibility that someone could still cause trouble for your other associated wireless clients, even if they don't have further network access.

When using MAC filtering, most people make a list of wireless devices that they wish to allow, and then deny all others. This is done using the iwpriv command.

# iwpriv wlan0 addmac 00:30:65:23:17:05
# iwpriv wlan0 addmac 00:40:96:aa:99:fd
  ...
# iwpriv wlan0 maccmd 1
# iwpriv wlan0 maccmd 4

The addmac directive adds a MAC address to the internal table. You can add as many MAC addresses as you like to the table by issuing more addmac commands. You then need to tell Host AP what to do with the table you've built. The maccmd 1 command tells Host AP to use the table as an "allowed" list, and to deny all other MAC addresses from associating. Finally, the maccmd 4 command boots off all associated clients, forcing them to reassociate. This happens automatically for clients listed in the table, but everyone else attempting to associate will be denied.

Sometimes, you only need to ban a troublemaker or two, rather than set an explicit policy of permitted devices. If you need to ban a couple of specific MAC address but allow all others, try this:

# iwpriv wlan0 addmac 00:30:65:fa:ca:de
# iwpriv wlan0 maccmd 2
# iwpriv wlan0 kickmac 00:30:65:fa:ca:de

As before, you can use addmac as many times as you like. The maccmd 2 command sets the policy to "deny," and kickmac boots the specified MAC immediately, if it happens to be associated. This is probably nicer than booting everybody and making them reassociate just to ban one troublemaker. Incidentally, if you'd like to remove MAC filtering altogether, try maccmd 0.

If you make a mistake typing in a MAC address, you can use the delmac command just as you would addmac, and it (predictably) deletes the given MAC address from the table. Should you ever need to flush the current MAC table entirely but keep the current policy, use this command:

# iwpriv wlan0 maccmd 3

Finally, you can view the running MAC table by using /proc:

# cat /proc/net/hostap/wlan0/ap_control

The iwpriv program manipulates the running Host AP driver, but doesn't preserve settings across reboots. Once you're happy with your MAC filtering table, be sure to put the relevant commands in an rc script to run at boot time.

Note that even unassociated clients can still listen to network traffic, so MAC filtering does very little to prevent eavesdropping. To combat passive listening techniques (like we do with Kismet in [Hack #31]), you will need to encrypt your data.

Index: [SYMBOL][A][B][C][D][E][F][G][H][I][J][L][M][N][O][P][Q][R][S][T][U][V][W][X][Z]

Main Menu

	Main Page
	Table of content
	Copyright
	Credits
	Foreword
	Preface
	Chapter 1. The Standards
	Chapter 2. Bluetooth and Mobile Data
	Chapter 3. Network Monitoring
	Chapter 4. Hardware Hacks
		4.1 Hacks #43-69
		Hack 43 Add-on Laptop Antennas
		Hack 44 Increasing the Range of a Titanium PowerBook
		Hack 45 WET11 Upgrades
		Hack 46 AirPort Linux
		Hack 47 Java Configurator for AirPort APs
		Hack 48 Apple Software Base Station
		Hack 49 Adding an Antenna to the AirPort
		Hack 50 The NoCat Night Light
		Hack 51 Do-It-Yourself Access Point Hardware
		Hack 52 Compact Flash Hard Drive
		Hack 53 Pebble
		Hack 54 Tunneling: IPIP Encapsulation
		Hack 55 Tunneling: GRE Encapsulation
		Hack 56 Running Your Own Top-Level Domain
		Hack 57 Getting Started with Host AP
		Hack 58 Make Host AP a Layer 2 Bridge
		Hack 59 Bridging with a Firewall
		Hack 60 MAC Filtering with Host AP
		Hack 61 Hermes AP
		Hack 62 Microwave Cabling Guide
		Hack 63 Microwave Connector Reference
		Hack 64 Antenna Guide
		Hack 65 Client Capability Reference Chart
		Hack 66 Pigtails
		Hack 67 802.11 Hardware Suppliers
		Hack 68 Home-Brew Power over Ethernet
		Hack 69 Cheap but Effective Roof Mounts
	Chapter 5. Do-It-Yourself Antennas
	Chapter 6. Long Distance Links
	Chapter 7. Wireless Security
	Appendix A. Deep Dish Parabolic Reflector Template
	Colophon
	Index

	More Books
	PHP Hacks
	Processing Xml With Java - A Guide To Sax, Dom, Jdom, Jaxp, And Trax
	The Koran (Holy Qur'an)
	Macromedia Flash 8 Bible
	Search Engine Optimization for Dummies
	YouTube Traffic
	PHP 5 for Dummies
	Harry Potter and The Chamber of Secrets
	Harry Potter and the Sorcerer's Stone
	The Pilgrim's Progress
	Wireless Hacks
	Flash Hacks. 100 Industrial-Strength Tips & Tools
	PayPal Hacks. 100 Industrial-Strength Tips and Tools
	Amazon Hacks
	Pdf Hacks
	The Da Vinci Code
	Google Hacks
	The Holy Bible
	Windows XP For Dummies
	Harry Potter and the Half-Blood Prince
	Seo Book
	Upgrading and Repairing Networks
	Macromedia Dreamweaver 8 UNLEASHED
	Windows XP Annoyances
	Windows XP Hacks
	Microsoft Windows XP Power Toolkit
	Teach Yourself MS Office In 24Hours
	iPod & iTunes Missing Manual
	PC Hacks 100 Industrial-Strength Tips and Tools
	PC Overclocking, Optimization, and Tuning - 2th Edition
	PC Hardware In A Nutshell 3rd Edition
	PC Hardware in a Nutshell, 2nd Edition
	Upgrading and Repairing PCs
	Google for Dummies
	MySQL Cookbook
	Teach Yourself Macromedia Flash 8 In 24 Hours
	PHP CookBook
	Sams Teach Yourself JavaScript in 24 Hours
	PHP5 Manual

Free Games Paper Airplanes

500 Kostenlose Spiele