Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
06-09-2005, 06:05 AM
|
#1
|
|
Member
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 281
Rep: 
|
iptables mac FORWARD
I posted my question in Slackware section but unfortunately no one could help me.
I have a small network connected to internet and I want my router to forward only packages sent from computers with listed mac addresses.
so I put this:
iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
and the same for the others, but it's not forwarding anything.
I put in this and the addresses of both router netcards - nothing.
If I change to
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j DROP
the packages from this computer are not forwarded.
where is the mistake?
|
|
|
|
|
06-09-2005, 07:20 AM
|
#2
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
First, is the system with that MAC address within one hop, so that you can actually see it's MAC when you fire up tcpdump?
Second, are there any other rules before that one that may be interfering? If would probably help if you posted your entire firewall script. Make sure to remove any public IPs.
|
|
|
|
|
06-09-2005, 07:54 AM
|
#3
|
|
Member
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 281
Original Poster
Rep:
|
one HOP - LAN
no firewall -just this, all other rules - ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
that's all
the ipt_mac module loads
|
|
|
|
|
06-09-2005, 08:03 AM
|
#4
|
|
Member
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 281
Original Poster
Rep:
|
the router is connected to the ISP via cable modem and the modem is connected to router with network card with static IP. Don't you think that router is not forwarding packages from the modem to the my network.
may be I have to use state ot something?
|
|
|
|
|
06-09-2005, 09:13 AM
|
#5
|
|
Member
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 281
Original Poster
Rep:
|
I added this and it works
iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j ACCEPT
do u think it's enough?
|
|
|
|
|
06-09-2005, 05:14 PM
|
#6
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I believe so. I think the problem has to do with the reply packets getting back through. The initial outgoing packets were forwarded because they had that mac as the source. However, the reply packets would have different source and dst mac addresses and wouldn't match that rule and consequently hit the DROP policy.
It's usually a good idea to accept the ESTABLISHED *AND* RELATED states, so that things like icmp port unreachable messages can get back through too). So you're rule would look like:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT
It's also a good idea to specify which interfaces should be receiving traffic with that source MAC. It's possible for someone to spoof that MAC on the external interface which would allow access to your LAN. It's pretty unlikely, but it's still a good idea to include the LAN interface in the rule with the MAC address:
iptables -A FORWARD -i <internal_interface> -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
where <internal_interface> is usually eth1 (check ifconfig output).
|
|
|
|
|
06-12-2005, 01:39 PM
|
#7
|
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Rep:
|
You have a space in your MAC address:
--mac-source 00:50:8B:AE:9D: D1
|
|
|
|
|
06-12-2005, 03:56 PM
|
#8
|
|
Member
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 281
Original Poster
Rep:
|
I know but it shows emoticon  1 |
|
|
|
|
06-12-2005, 04:09 PM
|
#9
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
LOL... yeah... well, for what it's worth, when you post there's an option below to "Disable Smilies in This Post" for these kinda situations... look:
:D
(see? no smiley! hehe...)
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 06:51 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
