Reject Mac-Address

All of lore.kernel.org
 help / color / mirror / Atom feed

* Reject Mac-Address
@ 2003-08-01  3:20 Leonardo Pires
  2003-08-01  7:52 ` Cedric Blancher
  0 siblings, 1 reply; 4+ messages in thread
From: Leonardo Pires @ 2003-08-01  3:20 UTC (permalink / raw)
  To: netfilter

I have the following scenario:

internet--router---firewall---router---clients

I have the mac_address of all clients, and I need to reject some clients in the firewall  using the mac_address, someone know how can I do  it ?

Thanks.

Leonardo Pires

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Reject Mac-Address
  2003-08-01  3:20 Reject Mac-Address Leonardo Pires
@ 2003-08-01  7:52 ` Cedric Blancher
  2003-08-01  9:15   ` George Vieira
  0 siblings, 1 reply; 4+ messages in thread
From: Cedric Blancher @ 2003-08-01  7:52 UTC (permalink / raw)
  To: Leonardo Pires; +Cc: netfilter

Le ven 01/08/2003 à 05:20, Leonardo Pires a écrit :
> I have the following scenario:
> internet--router---firewall---router---clients
> I have the mac_address of all clients, and I need to reject some
> clients in the firewall  using the mac_address, someone know how can I
> do  it ?

You will do source MAC address based filtering. Use mac match :

cbr@elendil:~$ iptables -m mac --help
iptables v1.2.7a
[...]
MAC v1.2.7a options:
 --mac-source [!] XX:XX:XX:XX:XX:XX
                                Match source MAC address

Suppose you want to deny access to a host considering its MAC address :

	iptables -A FORWARD -m mac --mac-source $FORBIDEN_MAC -j DROP

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Reject Mac-Address
  2003-08-01  7:52 ` Cedric Blancher
@ 2003-08-01  9:15   ` George Vieira
  2003-08-01  9:28     ` Cedric Blancher
  0 siblings, 1 reply; 4+ messages in thread
From: George Vieira @ 2003-08-01  9:15 UTC (permalink / raw)
  To: Cedric Blancher, Leonardo Pires; +Cc: netfilter

Hey, don't forget.. the firewall will only see the MAC of the routers (from
experience) unless the routers pass the MAC address across when routed...
but AFAIK they don't.. so -m mac is useless in this scenario...


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Cedric Blancher
Sent: Friday, August 01, 2003 5:53 PM
To: Leonardo Pires
Cc: netfilter@lists.netfilter.org
Subject: Re: Reject Mac-Address


Le ven 01/08/2003 à 05:20, Leonardo Pires a écrit :
> I have the following scenario:
> internet--router---firewall---router---clients
> I have the mac_address of all clients, and I need to reject some
> clients in the firewall  using the mac_address, someone know how can I
> do  it ?

You will do source MAC address based filtering. Use mac match :

cbr@elendil:~$ iptables -m mac --help
iptables v1.2.7a
[...]
MAC v1.2.7a options:
 --mac-source [!] XX:XX:XX:XX:XX:XX
                                Match source MAC address

Suppose you want to deny access to a host considering its MAC address :

	iptables -A FORWARD -m mac --mac-source $FORBIDEN_MAC -j DROP

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE




^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Reject Mac-Address
  2003-08-01  9:15   ` George Vieira
@ 2003-08-01  9:28     ` Cedric Blancher
  0 siblings, 0 replies; 4+ messages in thread
From: Cedric Blancher @ 2003-08-01  9:28 UTC (permalink / raw)
  To: George Vieira; +Cc: Leonardo Pires, netfilter

Le ven 01/08/2003 à 11:15, George Vieira a écrit :
> Hey, don't forget.. the firewall will only see the MAC of the routers (from
> experience) unless the routers pass the MAC address across when routed...
> but AFAIK they don't.. so -m mac is useless in this scenario...

True, I focused on source MAC filtering and forgot to have a more
attentive look at the network drawing. My mistake.

> internet--router---firewall---router---clients

Using this architecture, clients MAC address won't be visible from
firewall. Routeur's one will be the only one visible.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-08-01  9:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-01  3:20 Reject Mac-Address Leonardo Pires
2003-08-01  7:52 ` Cedric Blancher
2003-08-01  9:15   ` George Vieira
2003-08-01  9:28     ` Cedric Blancher

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.