Filtering on MAC Addresses

Filtering on MAC Addresses

[Michael Thompson]

I am trying to filter on MAC addresses and have alittle problem.

I use a rule like the following

/sbin/iptables -A MACALLOW -p ALL -i eth0 -m mac --mac-source 
'MACADDRESS' -j ACCEPT

Where MACADDRESS is replaced by the MAC CODE of the machine.

However, the MAC address that the Network card uses is not being used by 
IPTables. It tries to use a larger MAC Code, which appears to be two mac 
addresses pinned together.

So if I use the MAC code of 00:10:5a:14:50:db, it gets rejected because 
IPTables uses the MAC Code of 00:09:5b:1b:52:77:00:10:5a:14:50:db:08:00
Which does not match obviously. So why is IPTables using this, and how 
can I get round it to use IPTables MAC Code rules?

Many Thanks for any help you can offer


Mike.

Re: Filtering on MAC Addresses

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Michael Thompson wrote:

| I am trying to filter on MAC addresses and have alittle problem.
|
| I use a rule like the following
|
| /sbin/iptables -A MACALLOW -p ALL -i eth0 -m mac --mac-source
| 'MACADDRESS' -j ACCEPT
|
| Where MACADDRESS is replaced by the MAC CODE of the machine.
|
| However, the MAC address that the Network card uses is not being
| used by IPTables. It tries to use a larger MAC Code, which appears
| to be two mac addresses pinned together.
|
| So if I use the MAC code of 00:10:5a:14:50:db, it gets rejected
| because IPTables uses the MAC Code of
| 00:09:5b:1b:52:77:00:10:5a:14:50:db:08:00 Which does not match
| obviously. So why is IPTables using this, and how can I get round
| it to use IPTables MAC Code rules?
|
| Many Thanks for any help you can offer
|
|
| Mike.

Hmm, all I can say is that filtering based on MAC address works. Don'
worry about the MAC iptables uses, that normal:

00:09:5b:1b:52:77 is the MAC of the incoming interface
00:10:5a:14:50:db is the MAC of the sending interface
08:00 is the transport protocol (IP)

Looking at your rule I have two ideas. Seems that the rule is placed
in a chain you created, so may be you simply forgot to call the chain
from the INPUT (or PREROUTING or FORWARD) chain. Or may be there is a
rule that the packet hits before the MAC rule. You can test if it
works basically like so:

iptables -I INPUT 1 -i $IFACE -m mac --mac-source 00:10:5a:14:50:db -j
LOG --log-prefix "MAC match: "

or similar. Good luck.

HTH

Joerg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCA4hUt9fkjiZ7IE8RAtvuAJ9+RVchzQL+z4KVR7OBrK2wZf9ukACg7Ug3
Qx9PpFQc7tKH3EUqoxoQAP0=
=nsS4
-----END PGP SIGNATURE-----

Re: Filtering on MAC Addresses

[Michael Thompson]

Jörg Harmuth wrote:

> Hmm, all I can say is that filtering based on MAC address works. Don'
> worry about the MAC iptables uses, that normal:
> 
> 00:09:5b:1b:52:77 is the MAC of the incoming interface
> 00:10:5a:14:50:db is the MAC of the sending interface
> 08:00 is the transport protocol (IP)

Thats what I thought it was all about, however it is not matching the 
Sending MAC address.

Feb  4 13:53:00 polaris IN=eth0 OUT= 
MAC=00:09:5b:1b:52:77:00:10:5a:14:50:db:08:00 SRC=192.168.1.14 
DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=17305 DF PROTO=TCP 
SPT=1085 DPT=22 WINDOW=65067 RES=0x00 ACK PSH URGP=0

It gets blocked here, seemingly ignoring the rule.


> 
> Looking at your rule I have two ideas. Seems that the rule is placed
> in a chain you created, so may be you simply forgot to call the chain
> from the INPUT (or PREROUTING or FORWARD) chain.

It is called from both the input chain and forward chains.

> Or may be there is a
> rule that the packet hits before the MAC rule. You can test if it
> works basically like so:

It is the first rule in the chain.

> 
> iptables -I INPUT 1 -i $IFACE -m mac --mac-source 00:10:5a:14:50:db -j
> LOG --log-prefix "MAC match: "
> 

All ready logging it all.

> or similar. Good luck.

Many thanks for your help!

Mike

Re: Filtering on MAC Addresses

[Michael Thompson]

Is the MAC Address case sensitive?

I have noticed that IPTables puts it in lower case, I have it in upper 
case. Could this be the problem?

Re: Filtering on MAC Addresses

[Michael Thompson]

Apologys.

Was having a remarkable dumb moment, the script I was using to write out 
the iptables chain was wrong.......

Apologys for that.... :(

God I feel like a muppet!