LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2009, 04:35 AM   #1
sickdude
LQ Newbie
 
Registered: Mar 2005
Distribution: red hat *, fedora core *, gentoo, slackware, ubuntu
Posts: 27

Rep: Reputation: 15
Question iptables logs the same MAC address over and over...


Hi all,

Well lets get straight to the point.

I use the touchterm app for iPhone to monitor my server while on the road. But for secure reasons i have port 22 open for some ip addresses (work, home, school) which is ok when i am on a wifi connection in these places but i wanted to improve my iptables skills and add a MAC address filter.

So i used the syslog, in which iptables logs, to check what the MAC address of my iPhone was while its on the 3G connection.

Well it logs the most crazy MAC address i have ever seen in my sysadmin lifetime, 00:XX:48:XX:2d:XX:00:XX:23:XX:00:XX:08:XX. The XX's are my doing for secure reasons, go figure :-p

This is only the tip of the iceberg, this MAC is logged for every entry in all my logs. Since i never was intrested in this kind of info i never noticed this but now i really want to know what kind of crazy problem this is. Does anybody have this problem? Why isnt my log as acurate as it should be? What is this wierd kernel thinking?

Running Ubuntu 8.04 Hardy Heron

uname -a
Linux XXXX 2.6.24-23-server #1 SMP Wed Apr 1 22:22:14 UTC 2009 i686 GNU/Linux

iptables -V
iptables v1.3.8
 
Old 05-21-2009, 08:35 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well that's too long for a mac address, which is only 12 hex characters, but the mac address *SHOULD* be the same, as it should be the mac of the upstream router. Remember that mac addresses are only relevant to the local subnet (so why you've "secured" it I've no idea.) not the wider layer 3 world.
 
Old 05-21-2009, 11:57 AM   #3
sickdude
LQ Newbie
 
Registered: Mar 2005
Distribution: red hat *, fedora core *, gentoo, slackware, ubuntu
Posts: 27

Original Poster
Rep: Reputation: 15
Well ok thanks for pointing that out but this still leaves me with the question that iptables is logging incorrect mac addresses and i dont know why...
 
Old 05-21-2009, 12:28 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
wrong address? how about you show us some logs and we'll explain them as best we can.
 
Old 05-22-2009, 05:04 AM   #5
sickdude
LQ Newbie
 
Registered: Mar 2005
Distribution: red hat *, fedora core *, gentoo, slackware, ubuntu
Posts: 27

Original Poster
Rep: Reputation: 15
Little piece of log file:

May 22 10:09:21 teletran-04 kernel: [1731231.529678] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=217.162.236.73 DST=217.xxx.33.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=5272 DF PROTO=TCP SPT=4777 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
May 22 10:09:24 teletran-04 kernel: [1731234.383947] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=217.162.236.73 DST=217.xxx.33.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=6396 DF PROTO=TCP SPT=4777 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
May 22 10:11:49 teletran-04 kernel: [1731379.386605] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=110 ID=22136 DF PROTO=TCP SPT=1878 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
May 22 10:11:52 teletran-04 kernel: [1731382.369008] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=110 ID=23208 DF PROTO=TCP SPT=1878 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
May 22 10:11:58 teletran-04 kernel: [1731388.410640] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN

You can see that the destination ip addresses are different but the MAC addresses are the same and long.
 
Old 05-22-2009, 06:33 AM   #6
oʌǝɹ
LQ Newbie
 
Registered: May 2009
Posts: 12

Rep: Reputation: 1
MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00
is an ethernet mac header
00:30:48:25:2d:48 is the destination, your server
00:04:23:09:00:e6 is the src, the gateway router of you server, intel
08:00 is IPv4
 
Old 05-22-2009, 06:46 AM   #7
sickdude
LQ Newbie
 
Registered: Mar 2005
Distribution: red hat *, fedora core *, gentoo, slackware, ubuntu
Posts: 27

Original Poster
Rep: Reputation: 15
Ok, well thank you, great reply!

But, why is my logfile not showing the MAC address of the machine trying to connect to my server? This should logged right? Or am i missing a iptables syntax?
 
Old 05-22-2009, 07:49 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
As I said above, MAC is layer 2 data, so does not persist across a router. A remote devices MAC address is really of no interest to you, and it's impossible to know it from a standard IP packet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC Address on IPTables boyfren Linux - Networking 9 02-21-2007 08:46 PM
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 05:57 AM
Weird MAC address in logs tangle Linux - Security 6 06-30-2005 05:54 PM
MAC address logs reactnet Linux - Security 4 03-03-2005 09:44 AM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 08:36 PM


All times are GMT -5. The time now is 06:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration