* iprange and mac-source
@ 2005-03-06 23:38 Kenneth Kalmer
2005-03-07 9:56 ` Mohamed Eldesoky
0 siblings, 1 reply; 3+ messages in thread
From: Kenneth Kalmer @ 2005-03-06 23:38 UTC (permalink / raw)
To: netfilter, GLUG-Chat
Guys
I'm having some difficulty getting the following rules to work:
These chains are used in both the INPUT and FORWARD chains of the filter table:
# Log/Drop chain for ip/mac address mismatches
$IPTABLES -N ADDRESSMISMATCH 2> /dev/null
$IPTABLES -F ADDRESSMISMATCH
$IPTABLES -A ADDRESSMISMATCH -j LOG --log-level $LOG_LEVEL -m limit
--limit $LTIME --log-prefix "Firewall (IP/MAC mismatch) "
$IPTABLES -A ADDRESSMISMATCH -p tcp -j $TCP_RESPOND
$IPTABLES -A ADDRESSMISMATCH -p udp -j $UDP_RESPOND
$IPTABLES -A ADDRESSMISMATCH -j DROP
# Now verify all MAC/IP combos
$IPTABLES -N VERIFYMAC 2> /dev/null
$IPTABLES -F VERIFYMAC
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.1-192.168.10.10 -m mac --mac-source 00:0b:6a:a0:0a:7f -j
RETURN
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
RETURN
$IPTABLES -A VERIFYMAC -j ADDRESSMISMATCH
Every single packet traverses the chain all the way down to
ADDRESSMISMATCH, no packets match...
The scenario is that each user can have multiple MAC addresses
(laptops, pda's & pc's). The DHCP will always issue the same range to
the same MAC addresses, each user get's their own pool own 10 IP's.
I'm trying to avoid matching 10 ip's to each MAC address. I'm under
the impression that this will adversely affect performance. We already
have 80 users on the network, 800 possible ip's and already 110 mac
addresses. The VERIFYMAC chain above will get too big or is this not a
problem.
Is the one-to-one match the only solution, or am I missing the plot here?
Thanks in advance!
--
Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iprange and mac-source
2005-03-06 23:38 iprange and mac-source Kenneth Kalmer
@ 2005-03-07 9:56 ` Mohamed Eldesoky
[not found] ` <fad9d48405030707051ba7fd76@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Mohamed Eldesoky @ 2005-03-07 9:56 UTC (permalink / raw)
To: Kenneth Kalmer, netfilter
You wrote:
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
RETURN
This doesn't seem like every user can have multiple MACs !!!
On Mon, 7 Mar 2005 01:38:46 +0200, Kenneth Kalmer
<kenneth.kalmer@gmail.com> wrote:
> Guys
>
> I'm having some difficulty getting the following rules to work:
>
> These chains are used in both the INPUT and FORWARD chains of the filter table:
>
> # Log/Drop chain for ip/mac address mismatches
> $IPTABLES -N ADDRESSMISMATCH 2> /dev/null
> $IPTABLES -F ADDRESSMISMATCH
> $IPTABLES -A ADDRESSMISMATCH -j LOG --log-level $LOG_LEVEL -m limit
> --limit $LTIME --log-prefix "Firewall (IP/MAC mismatch) "
> $IPTABLES -A ADDRESSMISMATCH -p tcp -j $TCP_RESPOND
> $IPTABLES -A ADDRESSMISMATCH -p udp -j $UDP_RESPOND
> $IPTABLES -A ADDRESSMISMATCH -j DROP
>
> # Now verify all MAC/IP combos
> $IPTABLES -N VERIFYMAC 2> /dev/null
> $IPTABLES -F VERIFYMAC
> $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> 192.168.10.1-192.168.10.10 -m mac --mac-source 00:0b:6a:a0:0a:7f -j
> RETURN
> $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> 192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
> RETURN
> $IPTABLES -A VERIFYMAC -j ADDRESSMISMATCH
>
> Every single packet traverses the chain all the way down to
> ADDRESSMISMATCH, no packets match...
>
> The scenario is that each user can have multiple MAC addresses
> (laptops, pda's & pc's). The DHCP will always issue the same range to
> the same MAC addresses, each user get's their own pool own 10 IP's.
>
> I'm trying to avoid matching 10 ip's to each MAC address. I'm under
> the impression that this will adversely affect performance. We already
> have 80 users on the network, 800 possible ip's and already 110 mac
> addresses. The VERIFYMAC chain above will get too big or is this not a
> problem.
>
> Is the one-to-one match the only solution, or am I missing the plot here?
>
> Thanks in advance!
>
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
>
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iprange and mac-source
[not found] ` <fad9d48405030707051ba7fd76@mail.gmail.com>
@ 2005-03-08 12:26 ` Mohamed Eldesoky
0 siblings, 0 replies; 3+ messages in thread
From: Mohamed Eldesoky @ 2005-03-08 12:26 UTC (permalink / raw)
To: Kenneth Kalmer, netfilter
I am refering that you actually matching a range of IPs against a single MAC !!
On Mon, 7 Mar 2005 17:05:21 +0200, Kenneth Kalmer
<kenneth.kalmer@gmail.com> wrote:
> On Mon, 7 Mar 2005 11:56:59 +0200, Mohamed Eldesoky
> <eldesoky.lists@gmail.com> wrote:
> > You wrote:
> > $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> > 192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
> > RETURN
> >
> > This doesn't seem like every user can have multiple MACs !!!
>
> I can't exaclty paste 110 lines from the output here can I?
>
> >
> >
> > On Mon, 7 Mar 2005 01:38:46 +0200, Kenneth Kalmer
> > <kenneth.kalmer@gmail.com> wrote:
> > > Guys
> > >
> > > I'm having some difficulty getting the following rules to work:
> > >
> > > These chains are used in both the INPUT and FORWARD chains of the filter table:
> > >
> > > # Log/Drop chain for ip/mac address mismatches
> > > $IPTABLES -N ADDRESSMISMATCH 2> /dev/null
> > > $IPTABLES -F ADDRESSMISMATCH
> > > $IPTABLES -A ADDRESSMISMATCH -j LOG --log-level $LOG_LEVEL -m limit
> > > --limit $LTIME --log-prefix "Firewall (IP/MAC mismatch) "
> > > $IPTABLES -A ADDRESSMISMATCH -p tcp -j $TCP_RESPOND
> > > $IPTABLES -A ADDRESSMISMATCH -p udp -j $UDP_RESPOND
> > > $IPTABLES -A ADDRESSMISMATCH -j DROP
> > >
> > > # Now verify all MAC/IP combos
> > > $IPTABLES -N VERIFYMAC 2> /dev/null
> > > $IPTABLES -F VERIFYMAC
> > > $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> > > 192.168.10.1-192.168.10.10 -m mac --mac-source 00:0b:6a:a0:0a:7f -j
> > > RETURN
> > > $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> > > 192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
> > > RETURN
> > > $IPTABLES -A VERIFYMAC -j ADDRESSMISMATCH
> > >
> > > Every single packet traverses the chain all the way down to
> > > ADDRESSMISMATCH, no packets match...
> > >
> > > The scenario is that each user can have multiple MAC addresses
> > > (laptops, pda's & pc's). The DHCP will always issue the same range to
> > > the same MAC addresses, each user get's their own pool own 10 IP's.
> > >
> > > I'm trying to avoid matching 10 ip's to each MAC address. I'm under
> > > the impression that this will adversely affect performance. We already
> > > have 80 users on the network, 800 possible ip's and already 110 mac
> > > addresses. The VERIFYMAC chain above will get too big or is this not a
> > > problem.
> > >
> > > Is the one-to-one match the only solution, or am I missing the plot here?
> > >
> > > Thanks in advance!
> > >
> > > --
> > >
> > > Kenneth Kalmer
> > > kenneth.kalmer@gmail.com
> > > http://opensourcery.blogspot.com
> > >
> > >
> >
> > --
> > Mohamed Eldesoky
> > www.eldesoky.net
> > RHCE
> >
>
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-03-08 12:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-06 23:38 iprange and mac-source Kenneth Kalmer
2005-03-07 9:56 ` Mohamed Eldesoky
[not found] ` <fad9d48405030707051ba7fd76@mail.gmail.com>
2005-03-08 12:26 ` Mohamed Eldesoky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.