From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: Filtering on MAC Addresses
Date: Fri, 04 Feb 2005 15:36:05 +0100 [thread overview]
Message-ID: <42038855.8050709@mnemon.de> (raw)
In-Reply-To: <42037F7D.2070804@thompsonmike.co.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Thompson wrote:
| I am trying to filter on MAC addresses and have alittle problem.
|
| I use a rule like the following
|
| /sbin/iptables -A MACALLOW -p ALL -i eth0 -m mac --mac-source
| 'MACADDRESS' -j ACCEPT
|
| Where MACADDRESS is replaced by the MAC CODE of the machine.
|
| However, the MAC address that the Network card uses is not being
| used by IPTables. It tries to use a larger MAC Code, which appears
| to be two mac addresses pinned together.
|
| So if I use the MAC code of 00:10:5a:14:50:db, it gets rejected
| because IPTables uses the MAC Code of
| 00:09:5b:1b:52:77:00:10:5a:14:50:db:08:00 Which does not match
| obviously. So why is IPTables using this, and how can I get round
| it to use IPTables MAC Code rules?
|
| Many Thanks for any help you can offer
|
|
| Mike.
Hmm, all I can say is that filtering based on MAC address works. Don'
worry about the MAC iptables uses, that normal:
00:09:5b:1b:52:77 is the MAC of the incoming interface
00:10:5a:14:50:db is the MAC of the sending interface
08:00 is the transport protocol (IP)
Looking at your rule I have two ideas. Seems that the rule is placed
in a chain you created, so may be you simply forgot to call the chain
from the INPUT (or PREROUTING or FORWARD) chain. Or may be there is a
rule that the packet hits before the MAC rule. You can test if it
works basically like so:
iptables -I INPUT 1 -i $IFACE -m mac --mac-source 00:10:5a:14:50:db -j
LOG --log-prefix "MAC match: "
or similar. Good luck.
HTH
Joerg
- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach
Tel.: (+49) 22 26 87 18 12
Fax: (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web: http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.
This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCA4hUt9fkjiZ7IE8RAtvuAJ9+RVchzQL+z4KVR7OBrK2wZf9ukACg7Ug3
Qx9PpFQc7tKH3EUqoxoQAP0=
=nsS4
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-02-04 14:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-04 13:58 Filtering on MAC Addresses Michael Thompson
2005-02-04 14:36 ` Jörg Harmuth [this message]
2005-02-04 15:04 ` Michael Thompson
2005-02-04 15:08 ` Michael Thompson
2005-02-04 15:18 ` Michael Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42038855.8050709@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox