-   Linux - Security (
-   -   iptable log mac address not showing (

sec_tech 02-18-2013 09:34 PM

iptable log mac address not showing
Hi, I need the mac address of the originating request of out going packets. Im not sure if im missing something or maybe debian squeeze does not have this functionality? But here is my iptable command and im logging ALL NEW requests out-going (INFO) on eth0
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -j LOG --log-level 6
iptables -A OUTPUT -o eth0 -p udp -m state --state NEW -j LOG --log-level 6

Feb 18 22:17:32 my-debian kernel: [50421.784255] IN= OUT=eth0 SRC= DST= LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=13743 PROTO=UDP SPT=1765 DPT=53 LEN=61


wadhah102 02-19-2013 03:16 AM

Hi, i cant understand your question
when you use

-o eth0
then all packets have this mac address

can you explain to me more?

Best regard :)

sec_tech 02-19-2013 07:13 AM

-o eth0
I have this defined so I only am logging OUTgoing traffic...but i still need the source mac from my internal network devices. so this debian box is a logging all out going traffic on eth0(external facing nic) eth1 is internal to my network. I dont care about my internal traffic or traffic coming in, just the traffic going out to the internet.

unSpawn 02-19-2013 08:49 AM

On the LAN-side, the routers ingress device, new connections not destined for the LAN equals egress traffic, right?

wadhah102 02-19-2013 08:56 AM



i still need the source mac from my internal network devices
When you want to know which mac address from your LAN, you should logging all trafic from your internal network and in this case it's eth1.


iptables -A INPUT -i eth1 -j LOG --log-level 7 --log-prefix 'Source MAC ADDRES'
Note that the file /var/log/kern.log contain the MAC address that you want and becareful about the syntaxe of the MAC:


Best Regards :)

sec_tech 02-20-2013 12:33 AM

I can grab the address, but its my router..and using forward vs input. So here is the scenario and why i posted in security.
I have a multi nic debian server at home. I am using as a firewall and using iptables. eth0 on this server is my outside interface. eth1 internal network( router attached). the problem I am running into is, Im only seeing the router MAC and the eth1/eth0 mac. I need the originating request mac. So my laptop/tablets/phones/desktops..etc. but those are all attached to my router. which is behind the fw. So is this possible? Should I use some packet inspection instead? I REALLY REALLY do not want to rely on snort or shorewall or some other software. Thanks!

wadhah102 02-20-2013 09:04 AM

When you use a router between firewall and your client(laptop/tablets/phones/desktops), you can see just the MAC router... and this the prosperity of the ethernet protocol HDLC and also the router limit the collision domain

Best Regards :)

All times are GMT -5. The time now is 11:47 PM.