Iptables -FTP

Iptables -FTP

[Paulo Andre]

Maybe someone could help. I have a problem that when someone FTP's into 
a server behind the firewall they can do a dir listing or any data
requests. Port 20 and 21 are allowed...
Anyone have an idea

Lot of MAC Address

[hare ram]

Hi  all

In my LAN, i have lot of MAC address,  ( pc's)
how do i make a rule for 100 MAC address (PC) to allow
and any other MAC address to Deny

any suggestions
thanks
hare

Re: Lot of MAC Address

[Joel Newkirk]

On Tuesday 18 February 2003 10:40 am, hare ram wrote:
> Hi  all
>
> In my LAN, i have lot of MAC address,  ( pc's)
> how do i make a rule for 100 MAC address (PC) to allow
> and any other MAC address to Deny
>
> any suggestions
> thanks
> hare

You have to match each MAC individually, one at a time.  If there is no 
other acceptable filtering criteria (IP + incoming interface, for 
example) then your best bet is something like this:

iptables -N MACtest
iptables -A MACtest -m mac --mac-source 00:11:22:33:44:55 -j RETURN
iptables -A MACtest -m mac --mac-source 00:11:22:33:44:66 -j RETURN
[... etc with all 100 MACs in individual rules, followed by ...]
iptables -A MACtest -j DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED    \
-j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW -j MACtest
iptables -A FORWARD {ordinary rules from here on in FORWARD}

This will take any NEW traffic coming from eth0 to be forwarded and pass 
ALL of it to the user-defined MACtest chain, which will RETURN 
acceptable MACs back to FORWARD for continued processing, and DROP any 
that don't match up with one of the rules. ( This way only the NEW 
packets have to traverse potentially 101 extra rules before ordinary 
matching in FORWARD continues.)  You can call the same user-def chain 
from INPUT as well, or instead.

Keep in mind that a script can build the MACtest chain in a loop, reading 
the MAC addresses from a separate textfile and appending the DROP 
'policy' after the loop completes.

j