Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

firewall rules based on mac address

0 views
Skip to first unread message

Thomas B

unread,
Apr 17, 2003, 8:23:33 PM4/17/03
to
I know I can use iptables to implement firewall on Linux.
However, iptables block the traffic based on the source
and destination IP address.

Can I use the mac address instead?

Thanks.

asadchev

unread,
Apr 18, 2003, 12:54:21 AM4/18/03
to
Thus spake bole...@yahoo.com (Thomas B):

man iptables

MATCH EXTENSIONS
iptables can use extended packet matching modules. These
are loaded in two ways: implicitly, when -p or --protocol
is specified, or with the -m or --match options, followed
by the matching module name; after these, various extra
command line options become available, depending on the
specific module. You can specify multiple extended match
modules in one line, and you can use the -h or --help
options after the module has been specified to receive
help specific to that module.

The following are included in the base package, and most
of these can be preceded by a ! to invert the sense of
the match.

blah blah blah

mac
--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense
for packets coming from an Ethernet device and
entering the PREROUTING, FORWARD or INPUT chains.


--
32 Kbits Mono.
http://inix.ath.cx:8000/grob-radio Panki Xoy!!!
http://inix.ath.cx:8000/kino-radio Kino.
http://inix.ath.cx:9000 - Keep rusrock classics alive.

Jim Chisholm

unread,
Apr 24, 2003, 6:44:32 PM4/24/03
to
asadchev wrote:
> Thus spake bole...@yahoo.com (Thomas B):
>
> man iptables
>
> MATCH EXTENSIONS
> iptables can use extended packet matching modules. These
> are loaded in two ways: implicitly, when -p or --protocol
> is specified, or with the -m or --match options, followed
> by the matching module name; after these, various extra
> command line options become available, depending on the
> specific module. You can specify multiple extended match
> modules in one line, and you can use the -h or --help
> options after the module has been specified to receive
> help specific to that module.
>
> The following are included in the base package, and most
> of these can be preceded by a ! to invert the sense of
> the match.
>
> blah blah blah
>
> mac
> --mac-source [!] address
> Match source MAC address. It must be of the form
> XX:XX:XX:XX:XX:XX. Note that this only makes sense
> for packets coming from an Ethernet device and
> entering the PREROUTING, FORWARD or INPUT chains.
>
>
>
>
Also be aware that this will work fine for mac addresses on your local
network but anything coming in from "outside" will be assigned the mac
address of your router and it can be downright embarassing to drop your
router's address thinking that it's some intruder!

Jim

--

=======================================================
Jim Chisholm <J...@Electron.Phys.Dal.Ca>
Dalhousie University, Dept. Physics Halifax N.S. Canada
Halifax Regional Fire and Emergency Service
Deputy Chief, Bay Road Station 59
=======================================================


0 new messages