Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-21-2013, 11:58 PM
|
#1
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep:
|
trying to allow only 1 host to connect to FTP server by MAC using iptables
i would think this would only allow a certain MAC address to connect to the passive-only FTP server running on port 31313:
Code:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j CT --helper ftp
-A PREROUTING -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j ACCEPT
-A INPUT -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
but it doesn't work; anyone can still access the server, no access is getting limited. Why not?
|
|
|
11-22-2013, 02:11 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Can you show us the full iptables state, as opposed to a config file? "iptables -vnL"
Also I presume you are aware that a mac address will not traverse a layer 3 boundary? As such only servers on the same directly connected local subnet can be identified by their mac?
|
|
|
11-22-2013, 02:19 AM
|
#3
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
iptables -vnL
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC xx:xx:xx:xx:xx:xx tcp dpt:21212
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212 flags:0x17/0x02
90 10638 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 90 packets, 10638 bytes)
pkts bytes target prot opt in out source destination
iptables -vnL -t raw
Code:
Chain PREROUTING (policy ACCEPT 110 packets, 12201 bytes)
pkts bytes target prot opt in out source destination
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC xx:xx:xx:xx:xx:xx tcp dpt:21212 CT helper ftp
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212
Chain OUTPUT (policy ACCEPT 112 packets, 14819 bytes)
pkts bytes target prot opt in out source destination
and the ftp server is running on a local network only
Last edited by psycroptic; 11-22-2013 at 02:20 AM.
|
|
|
11-22-2013, 02:23 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
so the rule isn't matching. And your MAC really isn't interesting. xxing it all out and changing the port number (are we pretending it's 21212 or 31313?) just makes it hard to read.
run a tcpdump and see what the incoming traffic actually looks like, "tcpdump -ven port 12345 -i <interface>" to see.
|
|
|
All times are GMT -5. The time now is 09:06 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|