Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 60 MAC Filtering with Host AP

Filter MAC addresses before they associate with
your Host AP.

While you can
certainly perform MAC filtering at the link layer using
iptables or ebtables
[Hack #59], it is far safer to let
Host AP do it for you. This not only blocks traffic that is destined
for your network, but also prevents miscreants from even associating
with your station. This helps to preclude the possibility that
someone could still cause trouble for your other associated wireless
clients, even if they don't have further network
access.

When using MAC filtering, most people make a list of wireless devices
that they wish to allow, and then deny all others. This is done using
the iwpriv command.

# iwpriv wlan0 addmac 00:30:65:23:17:05
# iwpriv wlan0 addmac 00:40:96:aa:99:fd
...
# iwpriv wlan0 maccmd 1
# iwpriv wlan0 maccmd 4

The addmac directive adds a MAC address to the
internal table. You can add as many MAC addresses as you like to the
table by issuing more addmac commands. You then
need to tell Host AP what to do with the table
you've built. The maccmd 1
command tells Host AP to use the table as an
"allowed" list, and to deny all
other MAC addresses from associating. Finally, the maccmd
4 command boots off all associated clients, forcing them to
reassociate. This happens automatically for clients listed in the
table, but everyone else attempting to associate will be denied.

Sometimes, you only need to ban a troublemaker or two, rather than
set an explicit policy of permitted devices. If you need to ban a
couple of specific MAC address but allow all others, try this:

# iwpriv wlan0 addmac 00:30:65:fa:ca:de
# iwpriv wlan0 maccmd 2
# iwpriv wlan0 kickmac 00:30:65:fa:ca:de

As before, you can use addmac as many times as you
like. The maccmd 2 command sets the policy to
"deny," and
kickmac boots the specified MAC immediately, if it
happens to be associated. This is probably nicer than booting
everybody and making them reassociate just to ban one troublemaker.
Incidentally, if you'd like to remove MAC filtering
altogether, try maccmd 0.

If you make a mistake typing in a MAC address, you can use the
delmac command just as you would
addmac, and it (predictably) deletes the given MAC
address from the table. Should you ever need to flush the current MAC
table entirely but keep the current policy, use this command:

# iwpriv wlan0 maccmd 3

Finally, you can view the running MAC table by using
/proc:

# cat /proc/net/hostap/wlan0/ap_control 

The iwpriv program manipulates the running
Host AP driver, but doesn't preserve settings across
reboots. Once you're happy with your MAC filtering
table, be sure to put the relevant commands in an
rc script to run at boot time.

Note that even unassociated clients can
still listen to network traffic, so MAC filtering does very little to
prevent eavesdropping. To combat passive listening techniques (like
we do with Kismet in [Hack #31]), you will
need to encrypt your data.