Hello Maybe try to block broadcast to the "blocked" client.... "-m pkttype --pkttype broadcast ........." I use it and this work fine... ----- Original Message ----- From: "Håkan Engblom" <cynic_0@xxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Sunday, January 11, 2004 12:20 AM Subject: source-mac filtering > Hi, > > I've run in to a strange problem. I have a dhcp-server on a 2.4.22 kernel > with a 1.2.8 iptables. The dhcp-server is configured only to offer > IP-addresses to one single mac-address (it is a single host on a private > network) > > However I'd like to block all other mac-addresses on this interface since I > plan to have a W-LAN here as well. (to prevent attackers from using > potential exploits in the dhcp-server) > > The mac-filter works fine for http, telnet, ssh aso, I can see the > drop-counter increasing and no traffic is let through (when I change the > mac-address in the iptables-config to something else than what I have on my > "dhcp-client-host"). BUT the dhcp-server keeps sending offers and ack's > evethough the incoming discover/request is blocked by iptables. > > What makes this even more strange is that the "DROP-counters" when using > "iptables -L -v" increases, and at the same time the dhcp server responds to > the requests. > > I'm using Internet Software Consortium DHCP Server V3.0.1rc11 > > The machine has only one physical interface whith two IP's one private and > one for public. The IP-address offered by the dhcp-server is private (as > seen below) > > Does anyone have a clue ? > > br Håkan Engblom > > Some "logs" : > > 00:30:88:00:63:10 is my DSL-connection (having to accepted packets during > this test) > > X.X.X.X is my public IP. > > (This is not the complete iptables, but it is teh interesting part for this > matter) > > 00:08:29.540872 0.0.0.0 -> 255.255.255.255 DHCP DHCP Discover - > Transaction ID 0xae749e48 > 00:08:29.541303 X.X.X.X -> 10.0.0.217 DHCP DHCP Offer - Transaction ID > 0xae749e48 > 00:08:29.542117 0.0.0.0 -> 255.255.255.255 DHCP DHCP Request - > Transaction ID 0xae749e48 > 00:08:29.542299 X.X.X.X -> 10.0.0.217 DHCP DHCP ACK - Transaction ID > 0xae749e48 > > > > # date > Sun Jan 11 00:08:08 CET 2004 > # iptables -L -v > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 mactable all -- eth0 any anywhere anywhere > 0 0 ACCEPT all -- lo any anywhere anywhere > 0 0 DROP !icmp -- any any anywhere anywhere > state INVALID > 0 0 eth0_in all -- eth0 any !10.0.0.0/24 anywhere > 0 0 eth0_1_in all -- eth0 any anywhere anywhere > 0 0 common all -- any any anywhere anywhere > > Chain mactable (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- any any anywhere anywhere > MAC 01:01:01:01:01:01 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:30:88:00:63:10 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:90:D0:AF:A3:F1 > 0 0 LOG all -- any any anywhere anywhere > LOG level info prefix `Shorewall:mac:DROP:' > 0 0 DROP all -- any any anywhere anywhere > > # date > Sun Jan 11 00:08:36 CET 2004 > # iptables -L -v > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 4 948 mactable all -- eth0 any anywhere anywhere > 0 0 ACCEPT all -- lo any anywhere anywhere > 0 0 DROP !icmp -- any any anywhere anywhere > state INVALID > 2 288 eth0_in all -- eth0 any !10.0.0.0/24 anywhere > 0 0 eth0_1_in all -- eth0 any anywhere anywhere > 0 0 common all -- any any anywhere anywhere > > Chain mactable (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- any any anywhere anywhere > MAC 01:01:01:01:01:01 > 2 288 RETURN all -- any any anywhere anywhere > MAC 00:30:88:00:63:10 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:90:D0:AF:A3:F1 > 2 660 LOG all -- any any anywhere anywhere > LOG level info prefix `Shorewall:mac:DROP:' > 2 660 DROP all -- any any anywhere anywhere > # > > _________________________________________________________________ > Lättare att hitta drömresan med MSN Resor http://www.msn.se/resor/ > > > >
