From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bjorn Ruberg <bjorn@ruberg.no>
Subject: Re: MAC Addresses in Logfile Entries
Date: 23 Apr 2003 07:19:53 +0200
Sender: netfilter-admin@lists.netfilter.org
Message-ID: <1051075193.2441.13.camel@mikke>
References: <200304230107.h3N17N5c024243@osprey.tkevans.com> 
	<003401c3093d$ec896c30$0200a8c0@storm>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-admin@lists.netfilter.org>
In-Reply-To: <003401c3093d$ec896c30$0200a8c0@storm>
Errors-To: netfilter-admin@lists.netfilter.org
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter/>
Content-Type: text/plain; charset="us-ascii"
To: netfilter@lists.netfilter.org

On Wed, 2003-04-23 at 04:13, Eric Poulin wrote:
> > Some of our log entries contain MAC addresses, like this:
> > Apr 20 10:15:35 foo kernel: IPT IN_FIREWALL: IN=eth1 OUT=
> > MAC=00:30:48:11:94:e5:00:d0:ba:45:ec:25:08:00 SRC=XXX.XX.XX.XX
> > DST=XXX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP
> > SPT=1572 DPT=1080 WINDOW=32430 RES=0x00 SYN URGP=0
> > While others don't:
> > Apr 14 07:55:35 foo kernel: IPT FORWARD: IN=eth0 OUT=eth1
> > SRC=XXX.XX.XX.XX DST=XXX.XX.XX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=225
> > DF PROTO=TCP SPT=1047 DPT=37 WINDOW=64512 RES=0x00 SYN URGP=0
> >
> > I see the "OUT" field in the latter contains "eth1" instead of a MAC
> > address.
> >
> > Can someone elaborate on the difference here? Thanks.
> 
> I'm experiencing this bahavior for a while already, and from what I can see,
> I will only see the MAC address in the log ONLY if the packet was destinated
> for the local machine(Or was generated BY the machine), but I will never see
> MACs if the packet logged was for another machine than the firewall.
> 
> If somebody can confirm...

Tim,

If you take a look at your own rules you will see that the rule with the
MAC address is one of your INPUT rules ("IPT IN_FIREWALL") while the
other one is a FORWARD rule ("IPT FORWARD").

Use that as a hint for further examination of your iptables rules and
the logs they produce.

Read the information on this web site as well:
http://logi.cc/linux/netfilter-log-format.php3


Bjorn