LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-26-2015, 03:53 PM   #1
Helipil0t
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Rep: Reputation: Disabled
Unhappy MAC filtering with iptables not working


I've done tones of reading on this topic and I have found numerous examples using iptables to filter mac addresses. I'm trying to create a whitelist of allowed mac addresses on my network.

Starting with a flushed iptables I use the following commands to simply add one mac address to an ACCEPT rule.
Code:
iptables -I FORWARD -m mac --mac-source 34:15:9e:24:96:c0 -j ACCEPT 
iptables -A FORWARD -j DROP
This produces the following tables for the FORWARD chain:

Code:
root@DD-WRT:~# iptables -nvL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 5275 packets, 4034K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      253 15363 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           MAC F8:1E:DF:E6:DB:20 
2      605 37736 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
This is supposed to allow all traffic access from the listed mac address and drop everything else. It looks like some packets are passing through but most are still being dropped. The said client has no access to the internet.

Am I doing something wrong here?? Please help!!

Cheers!
 
Old 10-26-2015, 04:08 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,120

Rep: Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259
The doc says you can only use mac in the PREROUTING or INPUT chains. Also, you need some other rule to pass response traffic.

http://www.netfilter.org/documentati...O-7.html#ss7.3
 
Old 10-26-2015, 04:45 PM   #3
Helipil0t
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by smallpond View Post
The doc says you can only use mac in the PREROUTING or INPUT chains. Also, you need some other rule to pass response traffic.

http://www.netfilter.org/documentati...O-7.html#ss7.3
Thans for the response. I can use the INPUT chain, problem is that tends to lock me out of the router when providing a DROP in the default policy. You think you could provide me with a working example? What rule would I need to pass response traffic?
 
Old 11-19-2015, 02:27 PM   #4
Helipil0t
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
[SOLVED] MAC filtering with iptables not working

For anyone interested I managed to get this working by creating a new CHAIN and defining the interface. For some reason using the FORWARD chain directly doesn't seem to work.

Code:
## Setup wanout CHAIN
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
I then used a loop to add an ACCEPT rule to all mac addresses from a file labeled "maclist_file".

Code:
## Accepted clients
for MAC in `cat /jffs/etc/config/maclist_file`; do
  iptables -A wanout -m mac --mac-source $MAC -j ACCEPT
done
And then the DROP rule
Code:
## Drop everything else
iptables -A wanout -i `nvram get lan_ifname` -j DROP
This seems to work very well for me on DD-WRT v3.0-r28000M kongac.

For those of you still running K2.6 load the following module:
Code:
insmod xt_mac
For K2.4 use:

Code:
insmod ipt_mac
K3.0 or newer has the module loaded in the kernel by default.

Hope this helps!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES > MAC FILTERING not working rjdbarsal Linux - Server 8 11-20-2015 03:10 PM
IPTABLES > MAC FILTERING not working rjdbarsal Linux - Newbie 1 07-06-2013 12:13 PM
IPtables and MAC filtering s3frank Linux - Networking 1 12-06-2011 11:45 AM
IPTABLES Mac filtering hertzzmang Linux - Networking 1 09-27-2009 08:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration