Hi folks,

Please shed some light upon my linux question:

In my LAN, the host with IP 192.68.0.113 has some Winblows virus that is generating outgoing traffic on my network. I donṫ know where this PC is, since it wasnṫ given a DHCP name. I issued the following three commands but they didnṫ stop the traffic:

iptables -I INPUT -s 192.168.0.113 -j DROP
iptables -I OUTPUT -s 192.168.0.113 -j DROP
iptables -I FORWARD -s 192.168.0.113 -j DROP

I wanna try blocking it by its MAC address. How do I do that?

I am running RH9.0

Thanks in advance.

do this (make sure you have the ipt_mac module loaded, too)

iptables -A INPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

this matches the source of the packet to a given MAC, then drops it if it matches (might be obvious, but just in case ). you can also put this in the FORWARD/OUTPUT chain to stop stuff (depends on your iptables).

gl,
y-p

What sort of equipment is conncting the PCs in the network? If its Cisco catalyst equipment I might be able to help track the PC down.


--tarballedtux

Yocompia:

iptables -A INPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

didnṫ work!

I also added

iptables -A FORWARD -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

and tried adding

iptables -A OUTPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

but it would give me an ¨ïnvalid argument" error

In any case, I still have the problem. Here is my lsmod output, just in case:

[root@proxy root]# lsmod
Module Size Used by Not tainted
ipt_mac 1208 2
soundcore 7108 0 (autoclean)
autofs 13700 0 (autoclean) (unused)
tulip 44256 1
pcnet32 18304 1
mii 2268 0 [pcnet32]
iptable_filter 2412 1 (autoclean)
ip_tables 15864 2 [ipt_mac iptable_filter]
mousedev 5688 1
keybdev 2976 0 (unused)
hid 22404 0 (unused)
input 6240 0 [mousedev keybdev hid]
usb-uhci 27276 0 (unused)
usbcore 80512 1 [hid usb-uhci]
ext3 72960 3
jbd 56752 3 [ext3]
ips 45088 4
sd_mod 13552 8
scsi_mod 110408 2 [ips sd_mod]

tarballedtux:

I have an old Cisco 2500 and a few CNET and SMC hubs.

If the that particular cisco switch can be consoled. Use these commands to find the station:

Get into EXEC mode and type this command:

show mac-address table <mac address>

If the port it says connected to another switch hopefully its a cisco otherwise you have a lead at the least.


--tarballedtux

it's definitely odd that that rule doesn't work. i have a rule like that to match the MAC of my remote computer and it works fine. here's are some rules (verbatim; except for changed MAC) i have in my iptables:

# allows DHCPACK for setup of w-lan
$IPTABLES -A INPUT -p UDP -i wlan0 --dport 67 --sport 68 -m mac --mac-source <remote MAC> -j ACCEPT

...

# allow ssh in from horatio
$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -m mac --mac-source <remote MAC> -j ACCEPT

# only let established/related ssh connections to chimaera in from horatio
$IPTABLES -A INPUT -p TCP -i wlan0 -m state --state ESTABLISHED,RELATED -m mac --mac-source <remote MAC> -j ACCEPT

...

# allows w-lan valid outgoing through, but stops new/invalid connections through wlan0
$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -m mac --mac-source <remote MAC> -j ACCEPT

these rules all work on my router/firewall box. it's odd that the rule didn't work, but maybe it has something to do with the cisco stuff that tarballed has been talking about.

gl,
y-p