LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables mac FORWARD (https://www.linuxquestions.org/questions/linux-security-4/iptables-mac-forward-331813/)

Ipolit 06-09-2005 06:05 AM
iptables mac FORWARD
 
I posted my question in Slackware section but unfortunately no one could help me.
I have a small network connected to internet and I want my router to forward only packages sent from computers with listed mac addresses.
so I put this:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT
and the same for the others, but it's not forwarding anything.
I put in this and the addresses of both router netcards - nothing.
If I change to

iptables -P FORWARD ACCEPT
iptables -A FORWARD -m mac --mac-source 00:50:8B:AE:9D: D1 -j DROP
the packages from this computer are not forwarded.

where is the mistake?

Capt_Caveman 06-09-2005 07:20 AM
First, is the system with that MAC address within one hop, so that you can actually see it's MAC when you fire up tcpdump?

Second, are there any other rules before that one that may be interfering? If would probably help if you posted your entire firewall script. Make sure to remove any public IPs.

Ipolit 06-09-2005 07:54 AM
one HOP - LAN
no firewall -just this, all other rules - ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
that's all
the ipt_mac module loads

Ipolit 06-09-2005 08:03 AM
the router is connected to the ISP via cable modem and the modem is connected to router with network card with static IP. Don't you think that router is not forwarding packages from the modem to the my network.
may be I have to use state ot something?

Ipolit 06-09-2005 09:13 AM
I added this and it works
iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j ACCEPT
do u think it's enough?

Capt_Caveman 06-09-2005 05:14 PM
I believe so. I think the problem has to do with the reply packets getting back through. The initial outgoing packets were forwarded because they had that mac as the source. However, the reply packets would have different source and dst mac addresses and wouldn't match that rule and consequently hit the DROP policy.

It's usually a good idea to accept the ESTABLISHED *AND* RELATED states, so that things like icmp port unreachable messages can get back through too). So you're rule would look like:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT

It's also a good idea to specify which interfaces should be receiving traffic with that source MAC. It's possible for someone to spoof that MAC on the external interface which would allow access to your LAN. It's pretty unlikely, but it's still a good idea to include the LAN interface in the rule with the MAC address:
iptables -A FORWARD -i <internal_interface> -m mac --mac-source 00:50:8B:AE:9D: D1 -j ACCEPT

where <internal_interface> is usually eth1 (check ifconfig output).

michaelsanford 06-12-2005 01:39 PM
You have a space in your MAC address:
--mac-source 00:50:8B:AE:9D: D1

Ipolit 06-12-2005 03:56 PM
I know but it shows emoticon :D1

win32sux 06-12-2005 04:09 PM
LOL... yeah... well, for what it's worth, when you post there's an option below to "Disable Smilies in This Post" for these kinda situations... look:

:D


(see? no smiley! hehe...)


All times are GMT -5. The time now is 09:50 AM.