Filtering MAC addresses and Multicast

Filtering MAC addresses and Multicast

[Gerard París Aixalà]

Hello all,

I have a strange problem using iptables that had been reported yet in 
this list two years ago, but it has not been solved: 
http://lists.netfilter.org/pipermail/netfilter/2004-October/056506.html

I emulate a MANET on an Ethernet by adding iptables rules like these 
(filtering at MAC layer):

/sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
00:06:5B:12:C9:7A -j DROP
/sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
00:06:5B:13:4A:69 -j DROP

These rules drop Unicast traffic but they do not drop Multicast traffic.
How can I fix it?

Thank you in advance
Kind regards,
Gerard

Re: Filtering MAC addresses and Multicast

[Gerard París Aixalà]

Martijn Lievaart wrote:
> Gerard París Aixalà wrote:
>
>> Hello all,
>>
>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>> 00:06:5B:12:C9:7A -j DROP
>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>> 00:06:5B:13:4A:69 -j DROP
>>
>> These rules drop Unicast traffic but they do not drop Multicast traffic.
>
> Multicast traffic is sent to specific multicast MAC adresses.
> Learn how multicast works and drop the corresponding MAC addresses. 
> (No I don't have a link handy, tcp/ip illustrated would be a good, but 
> pricy source).
>
> HTH,
> M4
>

I know how multicast works, but I want to drop packets with the 
specified MAC source adresses. In multicast, the source address is 
always a real one, to identify which computer the packet came from (the 
destination address, both MAC and IP, is a special one).

Gerard

Re: Filtering MAC addresses and Multicast

[Martijn Lievaart]

Gerard París Aixalà wrote:

> Martijn Lievaart wrote:
>
>> Gerard París Aixalà wrote:
>>
>>> Hello all,
>>>
>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source
>>> 00:06:5B:12:C9:7A -j DROP
>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source
>>> 00:06:5B:13:4A:69 -j DROP
>>>
>>> These rules drop Unicast traffic but they do not drop Multicast
>>> traffic.
>>
>>
>> Multicast traffic is sent to specific multicast MAC adresses.
>> Learn how multicast works and drop the corresponding MAC addresses.
>> (No I don't have a link handy, tcp/ip illustrated would be a good,
>> but pricy source).
>>
>> HTH,
>> M4
>>
>
> I know how multicast works, but I want to drop packets with the
> specified MAC source adresses. In multicast, the source address is
> always a real one, to identify which computer the packet came from
> (the destination address, both MAC and IP, is a special one).


<blush> Oops, my bad. Should read better. Sorry, Can't help you there.
If you don't get a reply on this list in a few days, maybe ask
netfilter-devel, because this looks like a bug.

M4

Re: Filtering MAC addresses and Multicast

[Gáspár Lajos]

Martijn Lievaart írta:
> Gerard París Aixalà wrote:
>
>> Martijn Lievaart wrote:
>>
>>> Gerard París Aixalà wrote:
>>>
>>>> Hello all,
>>>>
>>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>>>> 00:06:5B:12:C9:7A -j DROP
>>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>>>> 00:06:5B:13:4A:69 -j DROP
>>>>
>>>> These rules drop Unicast traffic but they do not drop Multicast 
>>>> traffic.
>>>
>>>
>>> Multicast traffic is sent to specific multicast MAC adresses.
>>> Learn how multicast works and drop the corresponding MAC addresses. 
>>> (No I don't have a link handy, tcp/ip illustrated would be a good, 
>>> but pricy source).
>>>
>>> HTH,
>>> M4
>>>
>>
>> I know how multicast works, but I want to drop packets with the 
>> specified MAC source adresses. In multicast, the source address is 
>> always a real one, to identify which computer the packet came from 
>> (the destination address, both MAC and IP, is a special one).
>
>
> <blush> Oops, my bad. Should read better. Sorry, Can't help you there. 
> If you don't get a reply on this list in a few days, maybe ask 
> netfilter-devel, because this looks like a bug.
>
> M4
>
>
>
>
Try this:

iptables -t mangle -A PREROUTING -j DROP -m mac --mac-source 
XX:XX:XX:XX:XX:XX -m pkttype --pkt-type multicast

Re: Filtering MAC addresses and Multicast

[Gerard París Aixalà]

Gáspár Lajos wrote:
> Martijn Lievaart írta:
>> Gerard París Aixalà wrote:
>>
>>> Martijn Lievaart wrote:
>>>
>>>> Gerard París Aixalà wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>>>>> 00:06:5B:12:C9:7A -j DROP
>>>>> /sbin/iptables -t mangle -A PREROUTING -m mac --mac-source 
>>>>> 00:06:5B:13:4A:69 -j DROP
>>>>>
>>>>> These rules drop Unicast traffic but they do not drop Multicast 
>>>>> traffic.
>>>>
>>>>
>>>> Multicast traffic is sent to specific multicast MAC adresses.
>>>> Learn how multicast works and drop the corresponding MAC addresses. 
>>>> (No I don't have a link handy, tcp/ip illustrated would be a good, 
>>>> but pricy source).
>>>>
>>>> HTH,
>>>> M4
>>>>
>>>
>>> I know how multicast works, but I want to drop packets with the 
>>> specified MAC source adresses. In multicast, the source address is 
>>> always a real one, to identify which computer the packet came from 
>>> (the destination address, both MAC and IP, is a special one).
>>
>>
>> <blush> Oops, my bad. Should read better. Sorry, Can't help you 
>> there. If you don't get a reply on this list in a few days, maybe ask 
>> netfilter-devel, because this looks like a bug.
>>
>> M4
>>
>>
>>
>>
> Try this:
>
> iptables -t mangle -A PREROUTING -j DROP -m mac --mac-source 
> XX:XX:XX:XX:XX:XX -m pkttype --pkt-type multicast
>
>
I tried this.
And this:
iptables -t mangle -I PREROUTING -d 225.0.0.4 -j DROP       # 225.0.0.4 
is the multicast address
iptables -t mangle -I PREROUTING -j DROP
But the multicast traffic still arrives at the destination computer.

Re: Filtering MAC addresses and Multicast

[Gáspár Lajos]

Gerard París Aixalà wrote:
> I tried this.
> And this:
> iptables -t mangle -I PREROUTING -d 225.0.0.4 -j DROP       # 
> 225.0.0.4 is the multicast address
> iptables -t mangle -I PREROUTING -j DROP
> But the multicast traffic still arrives at the destination computer.
How do you know that the traffic arrives ??? :) If you see it with some 
sniffer programs (tetheral) then that is fake because those programs see 
the packets BEFORE they reach the filtering system.
You can not tell a packet not to enter your network card... :D

BTW.: What does the counters of the packets matching your rules says ??? 
(iptables -L -v -n -t mangle)

Re: Filtering MAC addresses and Multicast

[Gerard París Aixalà]

Gáspár Lajos wrote:
> Gerard París Aixalà wrote:
>> I tried this.
>> And this:
>> iptables -t mangle -I PREROUTING -d 225.0.0.4 -j DROP       # 
>> 225.0.0.4 is the multicast address
>> iptables -t mangle -I PREROUTING -j DROP
>> But the multicast traffic still arrives at the destination computer.
> How do you know that the traffic arrives ??? :) If you see it with 
> some sniffer programs (tetheral) then that is fake because those 
> programs see the packets BEFORE they reach the filtering system.
> You can not tell a packet not to enter your network card... :D
>
> BTW.: What does the counters of the packets matching your rules says 
> ??? (iptables -L -v -n -t mangle)
>
>

I was using a multicast traffic generator (source and receiver). The 
receiver showed the packets as they arrived.
After sending 48 multicast packets the counters say the following:
Chain PREROUTING (policy ACCEPT 3 packets, 724 bytes)
 pkts bytes target     prot opt in     out     source               
destination
   48 56256 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0           MAC 00:06:5B:13:4A:69
It seems all the packets were dropped, but the receiver application sees 
them (it maybe acts like a sniffer).

I changed the application and tried VLC. With those rules, multicast 
traffic was blocked.

Thanks,
Gerard