Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#!/bin/sh
MAC=/etc/iptables/mac
iptables -N InputRules
iptables -N OutputRules
iptables -A FORWARD -d 123.124.125.0/255.255.255.192 -j InputRules
iptables -A FORWARD -s 123.124.125.0/255.255.255.192 -j OutputRules
seq 66 127 | while read i
do
iptables -N ip$i\In
iptables -N ip$i\Out
#
iptables -A InputRules -d 123.124.125.$i/255.255.255.192 -j ip$i\In
iptables -A OutputRules -s 123.124.125.$i/255.255.255.192 -j ip$i\Out
#
iptables -A ip$i\In -j RETURN
iptables -A ip$i\Out -m mac --mac-source ! $(cat $MAC | grep -m 1 "123.124.125.$i" | cut -d\ -f3) -j DROP
done
What I want:
- I want to get the traffic of those ip's and use it with mrtg.
- And i check the mac to be sure there is no one who change the ip.
In /etc/iptables/mac i keep a file with this format:
IP_ADDRESS at MAC_ADDRESS
ex:
123.124.125.81 at 00:02:44:3F:CD:EA [ether] on eth1
123.124.125.82 at 00:00:00:00:00:00
Where I'm going wrong with the mac thing? If i execute the script, it's blocking every ip.
I may be completely wrong about this, but I don't think iptables can do what you are asking with this script. You've got loops and bash commands and I don't think iptables knows how to deal with those. What you could do is have iptables log the traffic it sees and then have a separate script running as a cron job that checks the logs and takes any appropriate action.
Just out of curiosity, if you run this script and then look at the rules iptables has (iptables -L )what do you get back?
OK, I'm confused. You say that you run the script and all ip's are blocked, but both your INPUT chain and your OUTPUT chain are wide open. Their default policy is ACCEPT and there are no rules. If nothing else, the computer this runs on should have full access to the network. The rules in the FORWARD chain don't look like proper syntax to me (actually none of the rules look like proper syntax to me) and I suppose that could be part of the problem. However, usually iptables puts up a fuss when you feed it rules it doesn't recognize. Do you get any error messages when you run your script?
And all the ip's are comming from another box. In that second box are connected all the computers with those ip's.
The box where i put the rules is the one with the internet cable.
I hope this help's you.
Internet <-> Box 1 (with this iptables) <-> Box 2<->All other boxes
In this case, the only LAN traffic Box1 sees is from Box 2. I'm guessing that the tripping point then is your rules syntax. If I were writing your FORWARD rules they would look like:
iptables -A FORWARD -s 194.176.185.0/24 -j InputRules
However, you have both your InputRules and OutputRules bound to the same IP address range. That would restrict all traffict to just that coming and going from that range. If that is what you want, fine, but if you are trying to use the internet, you aren't going to be able to.
Also since you are using this box a bit like a router, you probably need to investigate using NAT and MASQUERADE in iptables. These rules are actually required if you are using iptables to route traffic and may be another aspect of why you can't access the internet. I've never used them so I won't offer advice, but if you search around this board you will find plenty of examples on how to set them up.
After spending a little time thinking about your rules, I think the problem is in InputRules and OutputRules. In all of the tables below those, you use either DROP or RETURN. Now RETURNED packets will continue to traverse the InputRules or OutputRules tables, but you leave them high and dry there. There is no rule accepting the packets that make it past your filters. You might try adding an ACCEPT line in those two tables or try RETURNing them to the FORWARD table and accepting them there.
For Hangdog42 (3'rd post) : Sorry, I did not change all the ip's. The 194.176.185.* should be 123.124.125.* . My mistake.
I will put this night 2 RETURN rules in the firewall and see what hapens. Thank you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.