Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I posted my question in Slackware section but unfortunately no one could help me.
I have a small network connected to internet and I want my router to forward only packages sent from computers with listed mac addresses.
so I put this:
iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
and the same for the others, but it's not forwarding anything.
I put in this and the addresses of both router netcards - nothing.
If I change to
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j DROP
the packages from this computer are not forwarded.
the router is connected to the ISP via cable modem and the modem is connected to router with network card with static IP. Don't you think that router is not forwarding packages from the modem to the my network.
may be I have to use state ot something?
I believe so. I think the problem has to do with the reply packets getting back through. The initial outgoing packets were forwarded because they had that mac as the source. However, the reply packets would have different source and dst mac addresses and wouldn't match that rule and consequently hit the DROP policy.
It's usually a good idea to accept the ESTABLISHED *AND* RELATED states, so that things like icmp port unreachable messages can get back through too). So you're rule would look like:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT
It's also a good idea to specify which interfaces should be receiving traffic with that source MAC. It's possible for someone to spoof that MAC on the external interface which would allow access to your LAN. It's pretty unlikely, but it's still a good idea to include the LAN interface in the rule with the MAC address:
iptables -A FORWARD -i <internal_interface> -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
where <internal_interface> is usually eth1 (check ifconfig output).