MAC Filtering

MAC Filtering

[Gopal Chandavarapu]

Hi All,

A specific hardware and its cross compiler need 2.4.14 version of the 
linux kernel. I have to do MAC filtering for these devices, so I found that

http://ebtables.sourceforge.net/documentation.html#whatdo

  does MAC filtering. -----------   Good till now.



Problem : The problem is ebtables works only with linux kernel 2.4.22/23 
and version 2.6.x

Question 1: Is there any other module like ebtables which does MAC 
filtering and works with 2.4.14 kernel.


Question 2: The MAC filter module should be capable of filtering the 
packets at run time.
That means that the filter should be able to ACCEPT all packets from MAC 
address A for some time and upon users request at run time, it should be 
able to take a new MAC address B and ACCEPT only from B and DROP/ACCEPT 
packets from A.

Please let me know.

Thanks
Gopal.

MAC filtering

[varun_saa]

Hello,
      To allow a particular MAC, I plan use the rule 
as sugested in my previous post :

iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.

Now how do you block all other MAC addresses in the first place.
How to write a rule for that ?

Thanks

Varun

Re: MAC filtering

[Gustavo Castro Puig]

Varun:

  I suggest you to check a project called "ebtables". May be of interest
to you: http://ebtables.sourceforge.net/
  Anyway, I think you can do this to disable all other MAC addresses:

  iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT
  iptables -A FORWARD -m mac --mac-source ! ff:ff:ff:ff:ff:ff -j DROP

  But if you want to allow more MAC, then you may need to write a custom
chain and pass all that MAC into it.
  I hope this help you.

> Hello,
>       To allow a particular MAC, I plan use the rule
> as sugested in my previous post :
>
> iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.
>
> Now how do you block all other MAC addresses in the first place.
> How to write a rule for that ?
>
> Thanks
>
> Varun
>
>
>

Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastro@gcp.com.uy

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342

Re: MAC filtering

[/dev/rob0]

On Wednesday 29 June 2005 06:56, varun_saa@vsnl.net wrote:
>       To allow a particular MAC, I plan use the rule
> as sugested in my previous post :
>
> iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.
>
> Now how do you block all other MAC addresses in the first place.
> How to write a rule for that ?

iptables -A FORWARD -j DROP
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

mac filtering

[ratheesh k]

I have a client machine (say A ) connectected to a linux router . I
can browse internet without any problem .

In router , i can configure  MAC address filters . If i configure A's
mac address should be disabled , A cannot access Router itself ? .

Question : What exactly mac address filter mean ?  disabling router
access or disabling internet access ?


Thanks,
Ratheesh

Re: mac filtering

[Marek Kierdelewicz]

Hi,

> 
>I have a client machine (say A ) connectected to a linux router . I
>can browse internet without any problem .
>In router , i can configure  MAC address filters . If i configure A's
>mac address should be disabled , A cannot access Router itself ? .
>Question : What exactly mac address filter mean ?  disabling router
>access or disabling internet access ?

If you add following rule you'll block access to internet, not to
router:
iptables -A FORWARD -j DROP -m mac --mac --mac-source xx:xx:xx:xx:xx:xx

This rule will block access to the router without affecting access to
internet:
iptables -A INPUT -j DROP -m mac --mac --mac-source xx:xx:xx:xx:xx:xx

You can find nice diagram representing packet flow in netfilter here
(focus on green background if you're only routing, not bridgeing):
http://www.imagestream.com/~josh/PacketFlow.gif

Best regards,
Marek

Re: mac filtering

[Lars Nooden]

On 04/21/2010 06:55 AM, ratheesh k wrote:
> Question : What exactly mac address filter mean ?  disabling router
> access or disabling internet access ?

The rule acts on what the user or that user's system has chosen at that 
particular moment to use as its chosen string to identify the network 
interface when contacting the router.

That kind of filtering is of very limited use in most activities.

/Lars