Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-18-2005, 01:10 PM   #1
LQ Newbie
Registered: Nov 2005
Posts: 2

Rep: Reputation: 0
Question IPTABLES rules with mac address?


I'm setting up a Firewall with Iptables, the firewall
1. - must block msn service but
2.- allow the hotmail service, also
3 . - must be able to allow some user's to use msn,

The first thing I've done with the next rules

$iptables -t mangle -A PREROUTING -p tcp --dport 1863 -j DROP
while read messenger; do
iptables -t mangle -A PREROUTING -d $messenger -j DROP
done $less$ /etc/list-of-msn-servers

this works, but also block's the hotmail service, any suggestions about what can i do?

the third thing I was thinking solve with mac address, the firewall is also a DHCP server, so in my LAN I don't have fix ip address I found something that allows to some users use the msn service but there is based on ip's, can someone help me to translate those rules to work with mac address?

/sbin/iptables -A FORWARD -s dir.ip.del.usuario/32 -d 0/0 -p tcp --dport
1863 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -d dir.ip.del.usuario/32 -p tcp --sport
1863 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s dir.ip.del.usuario/32 -d 0/0 -p
tcp --dport 1863 -j MASQUERADE

I defined those rules in the following way, but i seen to be wrong

/sbin/iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -d 0/0 -p tcp --dport 1863 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -m mac --mac-source 00:00:00:00:00:00 -p tcp --sport 1863 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -m mac --mac-source 00:00:00:00:00:00 -d 0/0 -p tcp --dport 1863 -j MASQUERADE

where 00:00:00:00:00:00 is the mac address of the user that I want to allow the msn service

Old 12-09-2005, 09:00 PM   #2
LQ Newbie
Registered: Nov 2004
Distribution: Suse 9.2
Posts: 18

Rep: Reputation: 0
--mac-source working for U?

Hello - I'm attempting to do the exact iptables operation, with no success so far. Have you determined a solution for this operation?

Thanks, Mikfig
Old 12-10-2005, 01:35 AM   #3
Registered: Dec 2005
Location: karachi
Distribution: RedHat
Posts: 75

Rep: Reputation: 15
Hello - can i MASQUERADE all ports with defined mac i done it by ip tell me how to do this from mac

/sbin/iptables -t nat -A POSTROUTING -s -o $EXTDEV -j MASQUERADE

this is true statement to MASQUERADE with MAC ?
/sbin/iptables -t nat -A POSTROUTING -m mac --mac-source 00:00:00:00:00:00 -o $EXTDEV -j MASQUERADE
Old 12-11-2005, 10:23 PM   #4
Registered: Nov 2002
Distribution: Slackware
Posts: 155

Rep: Reputation: 30

You should look at layer7 filter ( or setup a proxy server such as squid. This will allow you to block msn traffic and other application level filtering on a per IP bases.

You can configure it on a bridge device so it will be transparent to your network as well.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 06:57 AM
iptables rules with MAC addresses ProtoformX Linux - Networking 5 04-28-2005 08:54 AM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 05:09 AM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 09:36 PM
logsnorter-0.2 iptables MAC address toovato Linux - Security 9 10-30-2003 07:47 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:46 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration