* filtering based on MAC address prefix
@ 2010-01-15 19:44 Daniel Drake
2010-01-16 9:55 ` Eray Aslan
0 siblings, 1 reply; 6+ messages in thread
From: Daniel Drake @ 2010-01-15 19:44 UTC (permalink / raw)
To: netfilter
Hi,
I'm interested in setting up iptables filtering rules based on the OUI
(i.e. first 3 bytes) of the source MAC address. Is this possible?
I see that there is a "mac" match extension but it only seems to
operate with full 6-byte addresses. I also looked at the u32 extension
but that only seems to operate on the TCP header, not on the ethernet
header.
Any ideas/suggestions?
Thanks,
Daniel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: filtering based on MAC address prefix
2010-01-15 19:44 filtering based on MAC address prefix Daniel Drake
@ 2010-01-16 9:55 ` Eray Aslan
2010-01-16 15:43 ` Pascal Hambourg
2010-01-16 16:37 ` Daniel Drake
0 siblings, 2 replies; 6+ messages in thread
From: Eray Aslan @ 2010-01-16 9:55 UTC (permalink / raw)
To: Daniel Drake; +Cc: netfilter
On 15.01.2010 21:44, Daniel Drake wrote:
> I'm interested in setting up iptables filtering rules based on the OUI
> (i.e. first 3 bytes) of the source MAC address. Is this possible?
>
> I see that there is a "mac" match extension but it only seems to
> operate with full 6-byte addresses. I also looked at the u32 extension
> but that only seems to operate on the TCP header, not on the ethernet
> header.
>
> Any ideas/suggestions?
ebtables(8) is usually the better tool to use for dealing with ethernet
frames. Check if its --source and among matches fits.
--
Eray
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: filtering based on MAC address prefix
2010-01-16 9:55 ` Eray Aslan
@ 2010-01-16 15:43 ` Pascal Hambourg
2010-01-16 16:37 ` Daniel Drake
1 sibling, 0 replies; 6+ messages in thread
From: Pascal Hambourg @ 2010-01-16 15:43 UTC (permalink / raw)
To: netfilter
Hello,
Eray Aslan a écrit :
>
> ebtables(8) is usually the better tool to use for dealing with ethernet
> frames. Check if its --source and among matches fits.
But ebtables works only on frames seen by a bridge. So using it requires
to create a dummy bridge with one member.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: filtering based on MAC address prefix
2010-01-16 9:55 ` Eray Aslan
2010-01-16 15:43 ` Pascal Hambourg
@ 2010-01-16 16:37 ` Daniel Drake
2010-01-16 17:10 ` Eray Aslan
1 sibling, 1 reply; 6+ messages in thread
From: Daniel Drake @ 2010-01-16 16:37 UTC (permalink / raw)
To: Eray Aslan; +Cc: netfilter
2010/1/16 Eray Aslan <eray.aslan@caf.com.tr>:
> ebtables(8) is usually the better tool to use for dealing with ethernet
> frames. Check if its --source and among matches fits.
Thanks! I wasn't aware of that.
At first glance it looks ideal, but after trying to get it working, it
seems inappropriate.
Setting all ebtables policies to DROP (and adding log rules) does
nothing. As far as I can tell, ebtables only operates on bridge
devices, of which there are none in this setup. Am I missing anything?
Daniel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: filtering based on MAC address prefix
2010-01-16 16:37 ` Daniel Drake
@ 2010-01-16 17:10 ` Eray Aslan
2010-01-16 20:46 ` Maximilian Wilhelm
0 siblings, 1 reply; 6+ messages in thread
From: Eray Aslan @ 2010-01-16 17:10 UTC (permalink / raw)
To: Daniel Drake; +Cc: netfilter
On 16.01.2010 18:37, Daniel Drake wrote:
> At first glance it looks ideal, but after trying to get it working, it
> seems inappropriate.
> Setting all ebtables policies to DROP (and adding log rules) does
> nothing. As far as I can tell, ebtables only operates on bridge
> devices, of which there are none in this setup. Am I missing anything?
Create a bridge with only one enslaved device and ebtables should see
the traffic:
http://ebtables.sourceforge.net/examples/basic.html#ex_nobridge
--
Eray
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: filtering based on MAC address prefix
2010-01-16 17:10 ` Eray Aslan
@ 2010-01-16 20:46 ` Maximilian Wilhelm
0 siblings, 0 replies; 6+ messages in thread
From: Maximilian Wilhelm @ 2010-01-16 20:46 UTC (permalink / raw)
To: netfilter
Anno domini 2010 Eray Aslan scripsit:
Hi!
> On 16.01.2010 18:37, Daniel Drake wrote:
> > At first glance it looks ideal, but after trying to get it working, it
> > seems inappropriate.
> > Setting all ebtables policies to DROP (and adding log rules) does
> > nothing. As far as I can tell, ebtables only operates on bridge
> > devices, of which there are none in this setup. Am I missing anything?
> Create a bridge with only one enslaved device and ebtables should see
> the traffic:
> http://ebtables.sourceforge.net/examples/basic.html#ex_nobridge
Is this wise on machines with high network load?
I would guess that it will slow down things a little. Am I wrong here?
Ciao
Max
--
If it doesn't work, force it.
If it breaks, it needed replacing anyway.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-01-16 20:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-15 19:44 filtering based on MAC address prefix Daniel Drake
2010-01-16 9:55 ` Eray Aslan
2010-01-16 15:43 ` Pascal Hambourg
2010-01-16 16:37 ` Daniel Drake
2010-01-16 17:10 ` Eray Aslan
2010-01-16 20:46 ` Maximilian Wilhelm
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.