From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GAtJV-00015C-UR for garchives@archives.gentoo.org; Wed, 09 Aug 2006 19:01:58 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k79IwYxm008403; Wed, 9 Aug 2006 18:58:34 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k79ItamD011233 for ; Wed, 9 Aug 2006 18:55:37 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 513EC64A87 for ; Wed, 9 Aug 2006 18:55:36 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22979-20 for ; Wed, 9 Aug 2006 18:55:29 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id C8BBF646E9 for ; Wed, 9 Aug 2006 18:55:28 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1GAtCy-0001mG-9W for gentoo-user@gentoo.org; Wed, 09 Aug 2006 20:55:12 +0200 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 09 Aug 2006 20:55:12 +0200 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 09 Aug 2006 20:55:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] OT: iptables mac filtering Date: Wed, 9 Aug 2006 18:54:45 +0000 (UTC) Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060616) Sender: news X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-2.575 required=5.5 tests=[AWL=0.024, BAYES_00=-2.599] X-Spam-Score: -2.575 X-Spam-Level: X-Archives-Salt: 0d15e4cf-4df2-45b8-8fcc-6c6a8d4ca577 X-Archives-Hash: 945a7819bfbc49c6eaee69924ec72c96 Hello, Continuing my quest for iptables enlightenment....I have a question about 'mac address' syntax. All options for mac and arp have been compiled into a gentoo-hardened kernel. I'm using variations of this syntax in my script. # Rule to only allow ssh by MAC address iptables -A INPUT -i eth0 -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx \ --source-port 1024:65535 -d --dport 22 -j ACCEPT Where the mac address xx...xx is the system allowed in, via ssh and the ip.address is that of the destination (/24 based) host The rule works well when packets have to traverse a firewall/router as mac addresses do not get propagated (I think). However, when I use similar syntax to prevent a system on the same local (ethernet) segment from being able to ssh into a local system, it does prevent ssh access, as expected. Granted MAC addresses can be foiled, especially on the same segment, but how do I make this rule work?: On a local segemnt how would I modify the syntax so that only a select machine (maybe IP + MAC) could access a host, running iptables, via ssh? thoughts and ideas are most welcome. James -- gentoo-user@gentoo.org mailing list