Re: IP and MAC Address check

"Winanjaya - PBXSoftwares" <winanjaya@xxxxxxxxxxxxxxxx> · Wed, 5 Oct 2005 12:50:39 +0700



----- Original Message -----
From: "/dev/rob0" <rob0@xxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, October 05, 2005 12:29 PM
Subject: Re: IP and MAC Address check


> Please don't top-post. Thank you.
>
> On Wednesday 2005-October-05 00:19, Winanjaya - PBXSoftwares wrote:
> > Hi . . I already had the list of MAC Address .. and they stored in
> > the file named maclist (ie. /etc/sysconfig/maclist) ..
>
> Yes.
>
> > what I need is to configure iptables to read maclist file when there
>
> iptables cannot read from a file. Use a shell script to do that.
>
> > is incoming trafic from the IP address 172.16.2.241 to 172.16.2.250
> > ..if the MAC Address listed then the traffic will allowed otherwise
> > the traffic will be dropped or rejected..
> >
> > any idea ? .. please advise
>
> You were given good advice:
>
> > ----- Original Message -----
> > From: "Marcos S. Trazzini" <mstrazzini@xxxxxxxxx>
> > To: <netfilter@xxxxxxxxxxxxxxxxxxx>
> > Sent: Wednesday, October 05, 2005 11:58 AM
> > Subject: Re: IP and MAC Address check
> >
> snip
> > > ---CUT HERE---
> > > while read mac; do
> > >   iptables -A INPUT -m mac --mac-source $mac -m iprange \
> > >   --src-range 172.16.2.241-172.16.2.250 -j ACCEPT
> > > done < /path/to/maclist
> > > iptables -AINPUT -m iprange --src-range \
> > > 172.16.2.241-172.16.2.250 -j DROP
> > > ---CUT HERE---
>
> My only comment is that some older systems might not have -m iprange.
> But no worries, it's not far outside 2 CIDR ranges: 172.16.2.240/29 and
> 172.16.2.248/30.
>
> Ah, one other comment: this might be better structured using a
> user-defined chain.
>
> > > See also:
> > > # iptables -m mac --help
> > > # iptables -m iprange --help
>
> And of course "man iptables".
> --
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header
>

so you meant I can use  below:

# Range 241 to 246
 -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
00:12:95:6d:0a:3e -j DROP
-A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
00:12:95:15:61:14 -j DROP
-A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
00:12:95:15:62:29 -j DROP
-A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
00:12:95:15:63:ba -j DROP


please advise ..

Regards
Winanjaya