Re: MAC/IP PAIR MATCH

[Boryan Yotov <yotov@prosyst.com>]

Iwan Fauzie wrote:
> Hello Boryan,
> 
> Thanks for you help Boryan.
> 
> Please see http://www.netservers.co.uk/gpl/ this patch IPtables MAC/IP
> pair match
> 
> This patch to help prevent users from:
> 
>  - users have not changed their IP address to conflict with or spoof
>    others users
>  - Users have not changed their MAC address (e.g. new network cards
>  MAC spoofing or NAT)
>
> 
> Friday, January 27, 2006, 9:17:48 PM, you wrote:
> 
> 
>>Iwan Fauzie wrote:
>>
>>>Hello,
>>>
>>>I would like to patch mac/ip pair match, how to do that? any body help me
>>>
> 
> 
>>If you want to match IP against MAC address, then check the iptables's
>>_mac_ match:
> 
> 
>># iptables -m mac -help
> 
> 
>>Example: rule for forwarding packets matching certain IP/MAC pair is:
> 
> 
>># iptables -A FORWARD -s <IP _address> -m -mac --mac-source <MAC 
> 
> address>> -j ACCEPT
> 
> 
>>... but if you want to "patch a match", then you need to specify a bit
>>more detailed what are you trying to do.
> 
> 
>>The _mac_ match exist into the default iptables source (./extensions)
>>e.g. you don't need to patch anything. Just install iptables and enable
>>the match inside your kernel's .config file (CONFIG_IP_NF_MATCH_MAC=y)
>>and finally recompile (and install) the new kernel.
> 
> 

Personally I never used the iptables patch you mentioned above.
But looking at its tarball content it seems to be a 2.4.xx kernel
patch, for a kernel patched with iptables (probably 1.2.x).

Follow this steps (not the smartest one) in order to install it:

=================================================================
STEP 1: Patching the kernel
=================================================================

The file with the sources (macmatch.patch) is a diff on a patched
kernel, so you could apply it to an existing kernel tree easily.
Just go to where you current kernel source is located (I suppose
it is into:

   # cd /usr/src/linux

Make sure it is already patched with iptables (recent kernels are
by default). To apply the "macmatch.patch" patch simply type:

   # patch -p1 < /<Patch_Location >/macmatch.patch

The result from the patch command must look like:

   patching file include/linux/netfilter_ipv4/ipt_macmatch.h
   patching file net/ipv4/netfilter/ipt_macmatch.c

The configuration and make files are not a diff, so the fastest
way to apply them, is to edit the corresponding files manually:

-----------------------------------------------------------------
"macmatch.patch.config.in"
-----------------------------------------------------------------

Its content goes to "/usr/src/linux/net/ipv4/netfilter/Config.in"

Find the line from "Config.in" which says:

   dep_tristate '  MAC address match support' CONFIG_IP_NF_MATCH_MAC 
$CONFIG_IP_NF_IPTABLES

... and replace it (the line only) with the content of the 
macmatch.patch.config.in:

   dep_tristate '  MAC address match support' CONFIG_IP_NF_MATCH_MAC 
$CONFIG_IP_NF_IPTABLES
   dep_tristate '  MAC/IP pair match support' 
CONFIG_IP_NF_MATCH_MACMATCH $CONFIG_IP_NF_IPTABLES


-----------------------------------------------------------------
"macmatch.patch.makefile"
-----------------------------------------------------------------
Its content goes to "/usr/src/linux/net/ipv4/netfilter/Makefile"

Find the line from "Makefile" which says:

   obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o

... and replace it (the line only) with the content of the 
macmatch.patch.makefile:

   obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
   obj-$(CONFIG_IP_NF_MATCH_MACMATCH) += ipt_macmatch.o


-----------------------------------------------------------------
"macmatch.patch.configure.help"
-----------------------------------------------------------------
This is optional and only for convenience. You'll need it if you
want a help entry for the macmatch kernel configuration option.
Its content (starting from the second line) should go as an entry
into "/usr/src/linux/Documentation/Configure.help".


=================================================================
STEP 2: Patching iptables
=================================================================

Once you have you kernel tree ready its time to let know iptables
about the macmatch existence:

Go to your iptables source tree location. I'll suppose it is into

   #cd /usr/local/src/iptables-1.xx.yy

Copy both "libipt_macmatch.c" and ".macmatch-test" files from the
macmatch tree into:

   #cp <file1> <file2> /usr/local/src/iptables-1.xx.yy/extensions

And finally compile and install iptables.

   make KERNEL_DIR=/usr/src/linux
   make install KERNEL_DIR=/usr/src/linux


=================================================================
STEP 3: Enable the patch into the kernel config file
=================================================================

Add the following line into "/usr/src/linux/.config" :

   CONFIG_IP_NF_MATCH_MACMATCH=y

... in order to build the patch static into the kernel

or

   CONFIG_IP_NF_MATCH_MACMATCH=m

... if you need it as loadable module.

Finally recompile the kernel, load it and reboot.


Hope this helps.