[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Filtering on MAC with iptables



** Reply to message from "Steven J. Yellin" <yellin SLAC Stanford EDU> on Tue, 07 Jan 2003 14:16:33 -0800 (PST)


> In order to give the vermin trying to break into my computer a slight
> additional handicap, I want to allow ssh access only from certain places.  
> That's easy with computers whose IP's are fixed, but some people with
> legitimate reason to log on have computers that get various IP numbers via
> DHCP.  Possible cure(?): the iptables man page claims one may filter on
> the source MAC address.  But that didn't seem to work on a RH7.2 system
> with iptables-1.2.5-3 and kernel-smp-2.4.9-21 rpms.  The firewall blocked
> IP's whose MAC was supposed to be accepted, and even just logging all
> packets from a particular MAC didn't log anything when the corresponding
> machine sent packets.  Is the source MAC address normally the hardware
> ethernet card address of the same card as has the source IP, or is it
> something else, like the MAC address of the last router to handle the
> packet on its way across the internet? 

Bingo with the last sentence. Thus, iptables -m --mac-source only works within a particular subnet.

jb





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]