trying to allow only 1 host to connect to FTP server by MAC using iptables

psycroptic · 11-21-2013, 11:58 PM

i would think this would only allow a certain MAC address to connect to the passive-only FTP server running on port 31313:

Code:

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j CT --helper ftp
-A PREROUTING -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j ACCEPT
-A INPUT -m mac ! --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 31313 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

COMMIT

but it doesn't work; anyone can still access the server, no access is getting limited. Why not?

acid_kewpie · 11-22-2013, 02:11 AM

Can you show us the full iptables state, as opposed to a config file? "iptables -vnL"

Also I presume you are aware that a mac address will not traverse a layer 3 boundary? As such only servers on the same directly connected local subnet can be identified by their mac?

psycroptic · 11-22-2013, 02:19 AM

iptables -vnL

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx tcp dpt:21212
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212 flags:0x17/0x02
   90 10638 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 90 packets, 10638 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -vnL -t raw

Code:

Chain PREROUTING (policy ACCEPT 110 packets, 12201 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx tcp dpt:21212 CT helper ftp
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! xx:xx:xx:xx:xx:xx tcp dpt:21212

Chain OUTPUT (policy ACCEPT 112 packets, 14819 bytes)
 pkts bytes target     prot opt in     out     source               destination

and the ftp server is running on a local network only

acid_kewpie · 11-22-2013, 02:23 AM

so the rule isn't matching. And your MAC really isn't interesting. xxing it all out and changing the port number (are we pretending it's 21212 or 31313?) just makes it hard to read.

run a tcpdump and see what the incoming traffic actually looks like, "tcpdump -ven port 12345 -i <interface>" to see.