From: Mohamed Eldesoky <eldesoky.lists@gmail.com>
To: Kenneth Kalmer <kenneth.kalmer@gmail.com>,
netfilter <netfilter@lists.netfilter.org>
Subject: Re: iprange and mac-source
Date: Mon, 7 Mar 2005 11:56:59 +0200 [thread overview]
Message-ID: <1403218a05030701565d761565@mail.gmail.com> (raw)
In-Reply-To: <fad9d4840503061538754118e6@mail.gmail.com>
You wrote:
$IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
RETURN
This doesn't seem like every user can have multiple MACs !!!
On Mon, 7 Mar 2005 01:38:46 +0200, Kenneth Kalmer
<kenneth.kalmer@gmail.com> wrote:
> Guys
>
> I'm having some difficulty getting the following rules to work:
>
> These chains are used in both the INPUT and FORWARD chains of the filter table:
>
> # Log/Drop chain for ip/mac address mismatches
> $IPTABLES -N ADDRESSMISMATCH 2> /dev/null
> $IPTABLES -F ADDRESSMISMATCH
> $IPTABLES -A ADDRESSMISMATCH -j LOG --log-level $LOG_LEVEL -m limit
> --limit $LTIME --log-prefix "Firewall (IP/MAC mismatch) "
> $IPTABLES -A ADDRESSMISMATCH -p tcp -j $TCP_RESPOND
> $IPTABLES -A ADDRESSMISMATCH -p udp -j $UDP_RESPOND
> $IPTABLES -A ADDRESSMISMATCH -j DROP
>
> # Now verify all MAC/IP combos
> $IPTABLES -N VERIFYMAC 2> /dev/null
> $IPTABLES -F VERIFYMAC
> $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> 192.168.10.1-192.168.10.10 -m mac --mac-source 00:0b:6a:a0:0a:7f -j
> RETURN
> $IPTABLES -A VERIFYMAC -i $LANPORT -m iprange --src-range
> 192.168.10.31-192.168.10.40 -m mac --mac-source 00:02:e3:55:85:f5 -j
> RETURN
> $IPTABLES -A VERIFYMAC -j ADDRESSMISMATCH
>
> Every single packet traverses the chain all the way down to
> ADDRESSMISMATCH, no packets match...
>
> The scenario is that each user can have multiple MAC addresses
> (laptops, pda's & pc's). The DHCP will always issue the same range to
> the same MAC addresses, each user get's their own pool own 10 IP's.
>
> I'm trying to avoid matching 10 ip's to each MAC address. I'm under
> the impression that this will adversely affect performance. We already
> have 80 users on the network, 800 possible ip's and already 110 mac
> addresses. The VERIFYMAC chain above will get too big or is this not a
> problem.
>
> Is the one-to-one match the only solution, or am I missing the plot here?
>
> Thanks in advance!
>
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
>
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
next prev parent reply other threads:[~2005-03-07 9:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-06 23:38 iprange and mac-source Kenneth Kalmer
2005-03-07 9:56 ` Mohamed Eldesoky [this message]
[not found] ` <fad9d48405030707051ba7fd76@mail.gmail.com>
2005-03-08 12:26 ` Mohamed Eldesoky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1403218a05030701565d761565@mail.gmail.com \
--to=eldesoky.lists@gmail.com \
--cc=kenneth.kalmer@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox