Jörg Harmuth wrote:
Hmm, all I can say is that filtering based on MAC address works. Don' worry about the MAC iptables uses, that normal:
00:09:5b:1b:52:77 is the MAC of the incoming interface 00:10:5a:14:50:db is the MAC of the sending interface 08:00 is the transport protocol (IP)
Thats what I thought it was all about, however it is not matching the Sending MAC address.
Feb 4 13:53:00 polaris IN=eth0 OUT= MAC=00:09:5b:1b:52:77:00:10:5a:14:50:db:08:00 SRC=192.168.1.14 DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=17305 DF PROTO=TCP SPT=1085 DPT=22 WINDOW=65067 RES=0x00 ACK PSH URGP=0
It gets blocked here, seemingly ignoring the rule.
Looking at your rule I have two ideas. Seems that the rule is placed in a chain you created, so may be you simply forgot to call the chain from the INPUT (or PREROUTING or FORWARD) chain.
It is called from both the input chain and forward chains.
Or may be there is a rule that the packet hits before the MAC rule. You can test if it works basically like so:
It is the first rule in the chain.
iptables -I INPUT 1 -i $IFACE -m mac --mac-source 00:10:5a:14:50:db -j LOG --log-prefix "MAC match: "
All ready logging it all.
or similar. Good luck.
Many thanks for your help!
Mike
