Search code examples
google-compute-engineiptablesmac-address

Determine incomin MAC address on Google ComputeEngine

I'm battling to resolve mac address filtering on Google ComputeEngine.

I have a requirement where we have a web application running on a server. The same users that will be using the web application must also be able to use scp and ssh to get onto the same server.

So the idea so far:

  1. Enable HTTPS only for the web app - working
  2. Enable DSA based KEY-ONLY ssh with password access disabled - working.
  3. Enable mac filtering to the web application and ssh. The idea is that people not authorized will not even be able to see that there is something on that server IP.

Client IP filtering is a bit of a problem as IP's change when using ADSL at home....

To setup and test this I have used the following environment using three different machines on our local office network: CentOS 7 server running inside a VM (VMWare). I have enabled IP tables and disabled firewall. I have then added the following rules:

This will allow only ssh (port 22) to mac address

iptables -A INPUT -p tcp --dport 22 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

Now reject the rest of the ssh attempts ...

iptables -A INPUT -p tcp --dport 22 -j REJECT

This works 100% for ssh when testing from the other two machines (one windows and one Ubuntu). So far so good.

I have now moved to the target environment on Google ComputeEngine (Running CentOS 7 VM). However, all the connections shows the same MAC address as source. Using arp -a to retrieve the list of users with their mac addresses.

This is the arp result:

arp 
Address                  HWtype  HWaddress           Flags Mask            Iface
10.xxx.xxx.1               ether   xx:xx:xx:xx:xx:xx   C                     eth0

The problem is that using different users/different machines and different internet service providers all show up with the same mac address (according to arp) on the ComputeEngine side.

Using the gcloud firewall seems to be incapable of filtering on mac address. All the available documentation references only ip/port filtering. This is what I'm getting at the moment when dumping the existing firewall rules (outside of the VM)

gcloud compute firewall-rules list
NAME                   NETWORK SRC_RANGES    RULES                        SRC_TAGS TARGET_TAGS
default-allow-http     default 0.0.0.0/0     tcp:80                                http-server
default-allow-https    default 0.0.0.0/0     tcp:443                               https-server
default-allow-icmp     default 0.0.0.0/0     icmp
default-allow-internal default 10.240.0.0/16
tcp:1-65535,udp:1-65535,icmp
default-allow-rdp      default 0.0.0.0/0     tcp:3389
default-allow-ssh      default 0.0.0.0/0     tcp:22

Does anybody know how I can retrieve the correct mac addresses inside the CentOS VM or use the gcloud firewall to achieve the same?

Solution

  • The source MAC address of an incoming IP packet isn't set to the MAC address of the original sender of the packet, but to the MAC address of the last hop (router). This means that MAC filtering can be used only for hosts on the same network. This is dictated by how TCP/IP works and applies to any network. In addition to that, each VM on GCE has its own local network (with netmask 255.255.255.255) and only ever sees the gateway (and no other host) on that network.