iprange and mac-source - Kenneth Kalmer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kenneth Kalmer <kenneth.kalmer@gmail.com>
To: netfilter@lists.netfilter.org, GLUG-Chat <glug-chat@linux.org.za>
Subject: iprange and mac-source
Date: Mon, 7 Mar 2005 01:38:46 +0200	[thread overview]
Message-ID: <fad9d4840503061538754118e6@mail.gmail.com> (raw)

Guys

I'm having some difficulty getting the following rules to work:

These chains are used in both the INPUT and FORWARD chains of the filter table:

# Log/Drop chain for ip/mac address mismatches
$IPTABLES -N ADDRESSMISMATCH 2> /dev/null
$IPTABLES -F ADDRESSMISMATCH
$IPTABLES -A ADDRESSMISMATCH -j LOG --log-level $LOG_LEVEL -m limit
--limit $LTIME --log-prefix "Firewall (IP/MAC mismatch) "
$IPTABLES -A ADDRESSMISMATCH -p tcp -j $TCP_RESPOND
$IPTABLES -A ADDRESSMISMATCH -p udp -j $UDP_RESPOND
$IPTABLES -A ADDRESSMISMATCH -j DROP

# Now verify all MAC/IP combos
$IPTABLES -N VERIFYMAC 2> /dev/null
$IPTABLES -F VERIFYMAC
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.1-192.168.10.10 -m mac --mac-source 00:0b:6a:a0:0a:7f -j
RETURN
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
RETURN
$IPTABLES -A VERIFYMAC -j ADDRESSMISMATCH

Every single packet traverses the chain all the way down to
ADDRESSMISMATCH, no packets match...

The scenario is that each user can have multiple MAC addresses
(laptops, pda's & pc's). The DHCP will always issue the same range to
the same MAC addresses, each user get's their own pool own 10 IP's.

I'm trying to avoid matching 10 ip's to each MAC address. I'm under
the impression that this will adversely affect performance. We already
have 80 users on the network, 800 possible ip's and already 110 mac
addresses. The VERIFYMAC chain above will get too big or is this not a
problem.

Is the one-to-one match the only solution, or am I missing the plot here?

Thanks in advance!

-- 

Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com

next             reply	other threads:[~2005-03-06 23:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-06 23:38 Kenneth Kalmer [this message]
2005-03-07  9:56 ` iprange and mac-source Mohamed Eldesoky
     [not found]   ` <fad9d48405030707051ba7fd76@mail.gmail.com>
2005-03-08 12:26     ` Mohamed Eldesoky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fad9d4840503061538754118e6@mail.gmail.com \
    --to=kenneth.kalmer@gmail.com \
    --cc=glug-chat@linux.org.za \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.