Re: [gentoo-user] OT: iptables mac filtering

[Daniel Iliev <danny@ilievnet.com>]

James wrote:
> Hello,
>
> Continuing my quest for iptables enlightenment....I have a question
> about 'mac address' syntax. All options for mac and arp have been compiled
> into a gentoo-hardened kernel.
>
> I'm using variations of this  syntax in my script.
>
> # Rule to only allow ssh by MAC address 
> iptables -A INPUT -i eth0 -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx \
>    --source-port 1024:65535 -d <ip.address> --dport 22 -j ACCEPT
>
> Where  the mac address xx...xx is the system allowed in, via ssh
> and the ip.address is that of the destination (/24 based) host
> The rule works well  when packets have to traverse
> a firewall/router as mac addresses do not get propagated (I think).
>
> However, when I use  similar syntax to prevent a system on the same
> local (ethernet) segment from being able to ssh into a local system, 
> it does prevent ssh access, as expected. Granted MAC addresses
> can be foiled, especially on the same segment, but how do I make this
> rule work?: On a local segemnt how would I modify the syntax so 
> that only a select machine (maybe IP + MAC) could access a host,
> running iptables, via ssh?
>
> thoughts and ideas are most welcome.
>
> James
>
>
>
>
>
>   

The rule you give in the example seems correct to me. I can imagine 2
reasons because of which its not working for you.
First this rule ends  with "ACCEPT" - it allows, does not forbid access.
The second reason is that there could be some other rules which take
precedence before a packet meets the rule in question and it obeys those
preceding rules.

-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list