RE: transparent tcp proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2003-05-26 at 04:45, Michael Stilmant wrote:
> On Sat, 2003-05-24 at 04:05, George Vieira wrote:
> > Hmm. I don't think bridging copies the packets MAC address over. it just copies the packet data with it's source and destination IPs.
> > 
> > Can I ask what the mac address is used for, or needed for? Is it for some authenticity reasons?
> 
> No, I don't need ti used the MAC Address. And actually my 
> iptables filter work pretty well. But, with this, 
> the MAC address of the source host change for each connection
> 
> 
>                      10.0.0.225
>                      +--------+
>                      |   B    |
>    +-----+           |        |          +-----+
>    |  A  +-----------[ebtables]----------|  C  |
>    +-----+           +--------+          +-----+
>    10.0.0.3                             10.0.0.32     
> 
> 
> Rappel:
> when C send not filtered packet to A, A see the C MAC address with IP
> 10.0.0.32. when B send filtered TCP/IP packet to A with IP address 
> 10.0.0.32 A see the B MAC address. This work but it's not acceptable.
> the A MAC-IP association table will change setup all the time. 
> 
> 
> Michael
> 

You'd need to handle this outside of iptables/ebtables, but it could be 
done.  If the MAC of C would be static (IE only one machine there) then 
this is pretty trivial.

If there are potentially several machines represented by 'C' then you'd 
have to have a script or program that periodically checks the MAC on  
traffic coming from C.  If you log a packet from C to A and examine the 
log entry, it includes the MAC for C...

May 27 02:09:20 janus kernel: IPT:Unhandled input from LAN:IN=eth1 OUT= 
MAC=00:02:e3:11:c2:47:00:10:7a:4e:10:3b:08:00 SRC=192.168.0.17 
DST=192.168.1.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 
CODE=0 ID=9744 SEQ=0

In the above log entry the "00:02:e3:11:c2:47" is the MAC of the local
ethernet interface on the machine that logged this, my home gateway/
firewall.  "00:10:7a:4e:10:3b" is the MAC of the wireless compactflash 
card in my Zaurus.  The packet traversed a Netgear wireless AP/Router
between the two points.

You could construct a script to be run periodically by cron that would
insert a LOG rule with a distinct --log-prefix, then monitor the rule
listing (iptables -v -n -L FORWARD | grep SRC=a.b.c.d | grep "prefix")
and waits for the packet count to rise above 0, then deletes the log
rule and greps the log entry itself and extracts the MAC from it.

The problem I foresee you having is that you will need to bring the
interface down (IIRC) to change the MAC... Bridge and all...

j




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux