LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-21-2013, 11:58 PM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
trying to allow only 1 host to connect to FTP server by MAC using iptables


i would think this would only allow a certain MAC address to connect to the passive-only FTP server running on port 31313:

Code:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j CT --helper ftp
-A PREROUTING -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j ACCEPT
-A INPUT -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

COMMIT
but it doesn't work; anyone can still access the server, no access is getting limited. Why not?
 
Old 11-22-2013, 02:11 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Can you show us the full iptables state, as opposed to a config file? "iptables -vnL"

Also I presume you are aware that a mac address will not traverse a layer 3 boundary? As such only servers on the same directly connected local subnet can be identified by their mac?
 
Old 11-22-2013, 02:19 AM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
iptables -vnL
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx tcp dpt:21212
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212 flags:0x17/0x02
   90 10638 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 90 packets, 10638 bytes)
 pkts bytes target     prot opt in     out     source               destination
iptables -vnL -t raw
Code:
Chain PREROUTING (policy ACCEPT 110 packets, 12201 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx tcp dpt:21212 CT helper ftp
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212

Chain OUTPUT (policy ACCEPT 112 packets, 14819 bytes)
 pkts bytes target     prot opt in     out     source               destination
and the ftp server is running on a local network only

Last edited by psycroptic; 11-22-2013 at 02:20 AM.
 
Old 11-22-2013, 02:23 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
so the rule isn't matching. And your MAC really isn't interesting. xxing it all out and changing the port number (are we pretending it's 21212 or 31313?) just makes it hard to read.

run a tcpdump and see what the incoming traffic actually looks like, "tcpdump -ven port 12345 -i <interface>" to see.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't connect to FTP Server on VM and HOST? kaspro Linux - Virtualization and Cloud 9 06-28-2013 09:38 AM
[SOLVED] Trying to build Gentoo Prefix in Mac OS - ftp unknown host error nokangaroo Gentoo 3 08-03-2012 07:46 AM
iptables: connect to a FTP server the_gripmaster Linux - Networking 1 05-20-2008 06:05 AM
ftp: connect: No route to host agki Linux - Networking 2 03-09-2005 04:25 PM
iptables - blocking a host by MAC address retiem Linux - Security 6 08-29-2003 11:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration