iptables/mac address filtering question

iptables/mac address filtering question

[Jay Sprenkle]

Good morning all,

I'm already aware mac address is easily spoofed but I'd like to make
it just a little bit harder to break into my system anyway. I'm trying
to only allow a specific box to use scp to safely transfer data over
the internet.

I've put in a rule in my iptables chain but notice when I try to
connect it's rejected. The mac address I'm getting is not the same as
what iwconfig reports on my device. If a packet is passed through
routers on it's way to my box do they change the mac address of the
packet?

Any suggestions would be welcome.

Have a good weekend

Re: iptables/mac address filtering question

[Канивец Николай]

Of course they do.
You will have the source ip address unchanged (if you do not perfrom SNAT on
any on-the-way router), but you will receive the source MAC address of
router in the nearest to your destination Ethernet segment. In other words,
say you have 3 intermediate routers between your source and destination
machines. Your destination machine will "see" the MAC (ethernet) address of
the third-on-the-way router, not your original machine.

regards,
Nikolay.

С уважением,
Николай Канивец
e-mail: n_kanivets@futureservice.ru
----- Original Message -----
From: "Jay Sprenkle" <jsprenkle@gmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, August 11, 2007 9:46 PM
Subject: iptables/mac address filtering question


> Good morning all,
>
> I'm already aware mac address is easily spoofed but I'd like to make
> it just a little bit harder to break into my system anyway. I'm trying
> to only allow a specific box to use scp to safely transfer data over
> the internet.
>
> I've put in a rule in my iptables chain but notice when I try to
> connect it's rejected. The mac address I'm getting is not the same as
> what iwconfig reports on my device. If a packet is passed through
> routers on it's way to my box do they change the mac address of the
> packet?
>
> Any suggestions would be welcome.
>
> Have a good weekend
>

Re: iptables/mac address filtering question (nfcan: to exclusive)

[Jim Laurino]

On 08/11/2007 01:46:51 PM, Jay Sprenkle - jsprenkle@gmail.com wrote:

....
> I've put in a rule in my iptables chain but notice when I try to
> connect it's rejected. The mac address I'm getting is not the same as
> what iwconfig reports on my device. If a packet is passed through
> routers on it's way to my box do they change the mac address of the
> packet?

Yes, the MAC address is lost when a packet leaves an ethernet segment.
Recall that a MAC address is how devices sharing an ethernet address each other.
Routers operate on IP addresses and do not use or preserve ethernet addresses.
Maybe bridging, if you could do that, would preserve the MAC address.

Regards,

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.