LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-09-2005, 07:05 AM   #1
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Rep: Reputation: 31
iptables mac FORWARD


I posted my question in Slackware section but unfortunately no one could help me.
I have a small network connected to internet and I want my router to forward only packages sent from computers with listed mac addresses.
so I put this:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
and the same for the others, but it's not forwarding anything.
I put in this and the addresses of both router netcards - nothing.
If I change to

iptables -P FORWARD ACCEPT
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j DROP
the packages from this computer are not forwarded.

where is the mistake?
 
Old 06-09-2005, 08:20 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First, is the system with that MAC address within one hop, so that you can actually see it's MAC when you fire up tcpdump?

Second, are there any other rules before that one that may be interfering? If would probably help if you posted your entire firewall script. Make sure to remove any public IPs.
 
Old 06-09-2005, 08:54 AM   #3
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Original Poster
Rep: Reputation: 31
one HOP - LAN
no firewall -just this, all other rules - ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
that's all
the ipt_mac module loads
 
Old 06-09-2005, 09:03 AM   #4
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Original Poster
Rep: Reputation: 31
the router is connected to the ISP via cable modem and the modem is connected to router with network card with static IP. Don't you think that router is not forwarding packages from the modem to the my network.
may be I have to use state ot something?
 
Old 06-09-2005, 10:13 AM   #5
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Original Poster
Rep: Reputation: 31
I added this and it works
iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j ACCEPT
do u think it's enough?
 
Old 06-09-2005, 06:14 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I believe so. I think the problem has to do with the reply packets getting back through. The initial outgoing packets were forwarded because they had that mac as the source. However, the reply packets would have different source and dst mac addresses and wouldn't match that rule and consequently hit the DROP policy.

It's usually a good idea to accept the ESTABLISHED *AND* RELATED states, so that things like icmp port unreachable messages can get back through too). So you're rule would look like:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT

It's also a good idea to specify which interfaces should be receiving traffic with that source MAC. It's possible for someone to spoof that MAC on the external interface which would allow access to your LAN. It's pretty unlikely, but it's still a good idea to include the LAN interface in the rule with the MAC address:
iptables -A FORWARD -i <internal_interface> -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT

where <internal_interface> is usually eth1 (check ifconfig output).
 
Old 06-12-2005, 02:39 PM   #7
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
You have a space in your MAC address:
--mac-source 00:50:8B:AE:9D: D1
 
Old 06-12-2005, 04:56 PM   #8
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Original Poster
Rep: Reputation: 31
I know but it shows emoticon 1
 
Old 06-12-2005, 05:09 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
LOL... yeah... well, for what it's worth, when you post there's an option below to "Disable Smilies in This Post" for these kinda situations... look:

:D


(see? no smiley! hehe...)

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables FORWARD Ipolit Slackware 16 06-09-2005 05:35 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 08:07 PM
how to use iptables -m mac --mac-source DeployedOne Linux - Security 3 08-06-2004 04:03 AM
iptables forward? Bambi Linux - Security 2 10-02-2003 11:15 AM
iptables FORWARD ArnaudVR Linux - Security 6 07-07-2003 06:05 PM


All times are GMT -5. The time now is 08:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration