On Wednesday 2005-October-05 00:50, Winanjaya - PBXSoftwares wrote:
> > My only comment is that some older systems might not have -m
> > iprange. But no worries, it's not far outside 2 CIDR ranges:
> > 172.16.2.240/29 and 172.16.2.248/30.
> >
> > Ah, one other comment: this might be better structured using a
> > user-defined chain.
(Hold that thought ...)
> so you meant I can use below:
>
> # Range 241 to 246
172.16.2.240/29 is actually 240 through 247.
> -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
> 00:12:95:6d:0a:3e -j DROP
> -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
> 00:12:95:15:61:14 -j DROP
> -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
> 00:12:95:15:62:29 -j DROP
> -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
> 00:12:95:15:63:ba -j DROP
RH-Lokkit-0-50? Yuck!!
Okay, trying to regain composure ... :)
Think about this. Look at the first rule:
> -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source
> 00:12:95:6d:0a:3e -j DROP
If the source IP is in 172.16.2.240/29 and the MAC address is *not*
00:12:95:6d:0a:3e, drop the packet. Your second and subsequent MAC
rules will never be used, because those packets are already dropped.
That's why I'd use another chain for this. Put an ACCEPT rule in the
calling chain after the jump to your new chain. Use -j RETURN rules for
your permitted MAC addresses, and a -j DROP rule at the end of your new
chain.
I hope you do understand about MAC filtering: it only works when your
packets originated on the same physical segment. Anything from outside
your physical segment will come to you with the MAC address of your
upstream router.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
