how do I set the MAC address in POSTROUTING?

how do I set the MAC address in POSTROUTING?

[sean]

I want to use -m mac --mac-source on our server. 
Unfortunately,  lots of packets are coming in without the 
MAC address set:

  MAC-ADDRESS-TEST: IN=ppp0 OUT= MAC= SRC=ww.xx.yy.zz 
DST=zz.yy.xx.ww LEN=52
  TOS=0x00 PREC=0x00 TTL=51 ID=41426 DF PROTO=TCP SPT=52437 
DPT=445 WINDOW=63 RES=0x00 ACK URGP=0

This is from a linux client.

How do I set up the client to insert its MAC address? Can I 
use some mange voodoo on the client PSOTROUTING chain?

Is this even an iptables issue? Is the MAC address being 
stripped out somewhere?

sean

Re: how do I set the MAC address in POSTROUTING?

[Daniel Musketa]

On Friday 01 December 2006 01:23, sean wrote:
>   MAC-ADDRESS-TEST: IN=ppp0 OUT= MAC= SRC=ww.xx.yy.zz

> Is this even an iptables issue? 

AFAIK MAC addresses are used in ethernet to address ethernet frames. On ip 
routed ppp0 no ethernet frames arrive.

Daniel

Re: how do I set the MAC address in POSTROUTING?

[sean]

Daniel Musketa wrote:
> On Friday 01 December 2006 01:23, sean wrote:
>>   MAC-ADDRESS-TEST: IN=ppp0 OUT= MAC= SRC=ww.xx.yy.zz
> 
>> Is this even an iptables issue? 
> 
> AFAIK MAC addresses are used in ethernet to address ethernet frames. On ip 
> routed ppp0 no ethernet frames arrive.
> 
> Daniel
> 

OK. If that's the case, then the --mac-source target would 
only work on a LAN, not over the ethernet. This would mean 
thatthe --mac-sourse target has very limited use - only on 
local LANs.

But there is still a place for a MAC address. How can I  put 
one in the packet on the client side? This would allow me to 
use it over the internet.

sean

Re: how do I set the MAC address in POSTROUTING?

[Pascal Hambourg]

Hello,

sean a écrit :
> Daniel Musketa wrote:
>>
>> AFAIK MAC addresses are used in ethernet to address ethernet frames. 
>> On ip routed ppp0 no ethernet frames arrive.
> 
> OK. If that's the case, then the --mac-source target would only work on 
> a LAN, not over the ethernet.

I guess you mean over the *in*ternet. Ethernet is a LAN technology.

> This would mean thatthe --mac-sourse 
> target has very limited use - only on local LANs.

Indeed, the scope of a MAC address is link local, limited to the LAN.

> But there is still a place for a MAC address.

On an IP/PPP link ? No way. A PPP interface has no MAC address, it is 
useless. There is a place only in the lines that the LOG target prints 
because they have a fixed format.

> How can I  put one in the 
> packet on the client side? This would allow me to use it over the internet.

You cannot use MAC addresses over an IP/PPP link. You cannot rely on MAC 
addresses over the internet either because this is layer 2 information 
that is not routed by definition.

Re: how do I set the MAC address in POSTROUTING?

[sean]

Pascal Hambourg wrote:
> Hello,
> 
> sean a écrit :
>> Daniel Musketa wrote:
>>>
>>> AFAIK MAC addresses are used in ethernet to address ethernet frames. 
>>> On ip routed ppp0 no ethernet frames arrive.
>>
>> OK. If that's the case, then the --mac-source target would only work 
>> on a LAN, not over the ethernet.
> 
> I guess you mean over the *in*ternet. Ethernet is a LAN technology.
> 
>> This would mean thatthe --mac-sourse target has very limited use - 
>> only on local LANs.
> 
> Indeed, the scope of a MAC address is link local, limited to the LAN.
> 
>> But there is still a place for a MAC address.
> 
> On an IP/PPP link ? No way. A PPP interface has no MAC address, it is 
> useless. There is a place only in the lines that the LOG target prints 
> because they have a fixed format.
> 
>> How can I  put one in the packet on the client side? This would allow 
>> me to use it over the internet.
> 
> You cannot use MAC addresses over an IP/PPP link. You cannot rely on MAC 
> addresses over the internet either because this is layer 2 information 
> that is not routed by definition.
> 
> 

But I don't want to use the MAC address to route anything. I 
just want to stick it in the packet so _iptables_ will see it.

The internet routers just look at the ip address, so I 
wouldn't think they'd strip out the MAC address, do they?

If not, then if the client inserts a MAC address, couldn't 
iptables use it when it finally arrives.

sean

Re: how do I set the MAC address in POSTROUTING?

[Pascal Hambourg]

sean a écrit :
> 
> The internet routers just look at the ip address, so I wouldn't think 
> they'd strip out the MAC address, do they?

Routers *do* strip the source and destination MAC addresses (and any 
other layer 2 specific information) when forwarding an IP packet. If 
applicable, the source MAC address is replaced by the MAC address of the 
router output interface and the destination MAC address is replaced by 
the next hop interface MAC address. That's what I meant when saying that 
layer 2 information is not routed.

Re: how do I set the MAC address in POSTROUTING?

[Cedric Blancher]

Le dimanche 10 décembre 2006 à 11:44 -0500, sean a écrit :
> The internet routers just look at the ip address, so I 
> wouldn't think they'd strip out the MAC address, do they?

MAC addresses are layer 2 addresses. They don't propagate outside
ethernet network when packet is handled by a router.

So, yes your local router can see your client MAC address and you can
use -m mac in iptables to match it. If you're sitting outside your
client's LAN, you won't see its MAC address.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!