From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GAuZu-00024u-BL for garchives@archives.gentoo.org; Wed, 09 Aug 2006 20:22:58 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k79KIfdd022358; Wed, 9 Aug 2006 20:18:41 GMT Received: from gabriel.sub.uni-goettingen.de (gabriel.sub.uni-goettingen.de [134.76.163.126]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k79KFoMi006642 for ; Wed, 9 Aug 2006 20:15:50 GMT Received: by gabriel.sub.uni-goettingen.de (Postfix, from userid 8) id 2A2A2F5243; Wed, 9 Aug 2006 21:43:23 +0200 (CEST) Received: from butch (dslb-082-083-045-047.pools.arcor-ip.net [82.83.45.47]) by gabriel.sub.uni-goettingen.de (Postfix) with ESMTP id 6B711F5240 for ; Wed, 9 Aug 2006 21:43:23 +0200 (CEST) Date: Wed, 9 Aug 2006 21:43:53 +0200 From: Hans-Werner Hilse To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT: iptables mac filtering Message-Id: <20060809214353.5787529e.hilse@web.de> In-Reply-To: References: X-Mailer: Sylpheed version 2.2.5 (GTK+ 2.8.20; i586-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Details: No, hits=1.7 required=5.0 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on gabriel.sub.uni-goettingen.de X-Archives-Salt: e72ee8f5-4b8b-4ec3-be0e-ad1ff0ba38e0 X-Archives-Hash: 9a88c5a1141517f0bf743a75fc5513ac Hi, On Wed, 9 Aug 2006 18:54:45 +0000 (UTC) James wrote: > Where the mac address xx...xx is the system allowed in, via ssh > and the ip.address is that of the destination (/24 based) host > The rule works well when packets have to traverse > a firewall/router as mac addresses do not get propagated (I think). No, of course not. The incoming packet will have the MAC of the router instead. Only ethernet frames carry a MAC, so there's no MAC in IP tunnels, too. > However, when I use similar syntax to prevent a system on the same > local (ethernet) segment from being able to ssh into a local system, > it does prevent ssh access, as expected. Granted MAC addresses > can be foiled, especially on the same segment, but how do I make this > rule work?: On a local segemnt how would I modify the syntax so > that only a select machine (maybe IP + MAC) could access a host, > running iptables, via ssh? Hm, by adding "-s "? And of course, you need to change INPUT's policy to REJECT or DROP, using iptables -P INPUT DROP. Note that you probably want some rules allowing traffic local on that machine, so also allow packets coming from "lo". But you already mentioned it: There's not much point in blocking access this way since MAC addresses can as well be spoofed as IP addresses. Are you suffering from DOS attacks on your SSH server? -hwh -- gentoo-user@gentoo.org mailing list