iptables mac destination filtering

iptables mac destination filtering

[Thomas Turquois]

Hi,

I would like to know why it's not possible to filter on mac destination
address with iptables.

Thanks.

RE: iptables mac destination filtering

[Seferovic Edvin]

Hi,

I suppose it is because you do NOT know the destination MAC address. The
dest MAC address is found out first when the packets get out of iptables and
go to the NIC. Besides - you cannot find out the MAC address of the host
that is reachable over i.e. 3 hops. Recall the OSI layer system and it
should be clear. 

I think I am not wrong here. If so, please correct me.

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Thomas Turquois
Sent: Donnerstag, 28. April 2005 11:40
To: netfilter@lists.netfilter.org
Subject: iptables mac destination filtering

Hi,

I would like to know why it's not possible to filter on mac destination
address with iptables.

Thanks.

Re: iptables mac destination filtering

[Michael Tautschnig]

> Hi,
> 
> I would like to know why it's not possible to filter on mac destination
> address with iptables.
>

Could you please explain, why one would do that? IMHO the only possible use is
an interface in promiscous mode.

Thanks,
Michael

Re: iptables mac destination filtering

[Yu Zhiguo]

Hello,

    For simply, this is because netfilter is working on IP layer.


----- Original Message ----- 

> Hi,
> 
> I suppose it is because you do NOT know the destination MAC address. The
> dest MAC address is found out first when the packets get out of iptables and
> go to the NIC. Besides - you cannot find out the MAC address of the host
> that is reachable over i.e. 3 hops. Recall the OSI layer system and it
> should be clear. 
> 
> I think I am not wrong here. If so, please correct me.
> 
> Regards,
> 
> Edvin Seferovic
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Thomas Turquois
> Sent: Donnerstag, 28. April 2005 11:40
> To: netfilter@lists.netfilter.org
> Subject: iptables mac destination filtering
> 
> Hi,
> 
> I would like to know why it's not possible to filter on mac destination
> address with iptables.
> 
> Thanks.
> 
> 
> 

Re: iptables mac destination filtering

[Filip Sneppe]

Hi,

On 4/28/05, Thomas Turquois <tturquois@erasme.org> wrote:
> I would like to know why it's not possible to filter on mac destination
> address with iptables.

It's not possible with iptables since it works on the IP layer and higher,
but have a look at "ebtables", and maybe bridge-netfilter and arptables:

http://ebtables.sourceforge.net/

Regards,
Filip

RE: iptables mac destination filtering

[Seferovic Edvin]

Hi,

that is also what I wanted to say ;) Although netfilter is working on IP
layer, packages that come in, contain the source MAC address of the sender
so that is why for example the source MAC filtering works... right?

Regards,

Edvin Seferovic

-----Original Message-----
From: Yu Zhiguo [mailto:yuzg@nanjing-fnst.com] 
Sent: Donnerstag, 28. April 2005 12:04
To: edvin.seferovic@kolp.at; netfilter@lists.netfilter.org
Subject: Re: iptables mac destination filtering

Hello,

    For simply, this is because netfilter is working on IP layer.


----- Original Message ----- 

> Hi,
> 
> I suppose it is because you do NOT know the destination MAC address. The
> dest MAC address is found out first when the packets get out of iptables
and
> go to the NIC. Besides - you cannot find out the MAC address of the host
> that is reachable over i.e. 3 hops. Recall the OSI layer system and it
> should be clear. 
> 
> I think I am not wrong here. If so, please correct me.
> 
> Regards,
> 
> Edvin Seferovic
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Thomas
Turquois
> Sent: Donnerstag, 28. April 2005 11:40
> To: netfilter@lists.netfilter.org
> Subject: iptables mac destination filtering
> 
> Hi,
> 
> I would like to know why it's not possible to filter on mac destination
> address with iptables.
> 
> Thanks.
> 
> 
> 

Re: iptables mac destination filtering

[Yu Zhiguo]

Hello,

    I think so ;)

----- Original Message ----- 



> Hi,
> 
> that is also what I wanted to say ;) Although netfilter is working on IP
> layer, packages that come in, contain the source MAC address of the sender
> so that is why for example the source MAC filtering works... right?
> 
> Regards,
> 
> Edvin Seferovic
> 
> -----Original Message-----
> From: Yu Zhiguo [mailto:yuzg@nanjing-fnst.com] 
> Sent: Donnerstag, 28. April 2005 12:04
> To: edvin.seferovic@kolp.at; netfilter@lists.netfilter.org
> Subject: Re: iptables mac destination filtering
> 
> Hello,
> 
>     For simply, this is because netfilter is working on IP layer.
> 
> 
> ----- Original Message ----- 
> 
> > Hi,
> > 
> > I suppose it is because you do NOT know the destination MAC address. The
> > dest MAC address is found out first when the packets get out of iptables
> and
> > go to the NIC. Besides - you cannot find out the MAC address of the host
> > that is reachable over i.e. 3 hops. Recall the OSI layer system and it
> > should be clear. 
> > 
> > I think I am not wrong here. If so, please correct me.
> > 
> > Regards,
> > 
> > Edvin Seferovic
> > 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Thomas
> Turquois
> > Sent: Donnerstag, 28. April 2005 11:40
> > To: netfilter@lists.netfilter.org
> > Subject: iptables mac destination filtering
> > 
> > Hi,
> > 
> > I would like to know why it's not possible to filter on mac destination
> > address with iptables.
> > 
> > Thanks.
> > 
> > 
> > 
> 

Re: iptables mac destination filtering

[Tobias DiPasquale]

On 4/28/05, Michael Tautschnig <michael.tautschnig@zt-consulting.com> wrote:
> Could you please explain, why one would do that? IMHO the only possible use is
> an interface in promiscous mode.

Not really. I know of a project that wanted this functionality in
order to be able to determine if the next hop was terminal, and if so,
do some IDS scanning on it. This was in the context of AODV-assembled
wireless LANs.

--
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

Re: iptables mac destination filtering

[George Alexandru Dragoi]

Use arptables for that, like

arptables -A INPUT --src-mac <mac> --opcode 1 -j DROP
arptables -A OUTPUT --dst-mac <mac> --opcode 1 -j DROP

This way that mac won't know your mac address and won't be able to
comunicate with you. But, a "very" good enough firewall, it is not
necesary to filter destination mac, source mac is enough, arptables is
good to stop somebody DDOS you (if he is in same L2 with you).

On 4/28/05, Tobias DiPasquale <codeslinger@gmail.com> wrote:
> On 4/28/05, Michael Tautschnig <michael.tautschnig@zt-consulting.com> wrote:
> > Could you please explain, why one would do that? IMHO the only possible use is
> > an interface in promiscous mode.
> 
> Not really. I know of a project that wanted this functionality in
> order to be able to determine if the next hop was terminal, and if so,
> do some IDS scanning on it. This was in the context of AODV-assembled
> wireless LANs.
> 
> --
> [ Tobias DiPasquale ]
> 0x636f6465736c696e67657240676d61696c2e636f6d
> 
> 


-- 
Bla bla