----- Original Message ----- From: "Rob Sterenborg" <rob@xxxxxxxxxxxxxxx> To: "Winanjaya - PBXSoftwares" <winanjaya@xxxxxxxxxxxxxxxx> Cc: "/dev/rob0" <rob0@xxxxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Wednesday, October 05, 2005 2:13 PM Subject: Re: IP and MAC Address check > On Wed, October 5, 2005 08:44, Winanjaya - PBXSoftwares wrote: > ... > >> > > Ah, one other comment: this might be better structured using a > >> > > user-defined chain. > >> > >> (Hold that thought ...) > ... > >> Think about this. Look at the first rule: > >> > -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source > >> > 00:12:95:6d:0a:3e -j DROP > >> > >> If the source IP is in 172.16.2.240/29 and the MAC address is *not* > >> 00:12:95:6d:0a:3e, drop the packet. Your second and subsequent MAC > >> rules will never be used, because those packets are already dropped. > >> > >> That's why I'd use another chain for this. Put an ACCEPT rule in the > >> calling chain after the jump to your new chain. Use -j RETURN rules > >> for your permitted MAC addresses, and a -j DROP rule at the end of > >> your new chain. > >> > >> I hope you do understand about MAC filtering: it only works when > >> your packets originated on the same physical segment. Anything from > >> outside your physical segment will come to you with the MAC address > >> of your upstream router. > > > I am really sorry that I am not sure that I already understood what > > you mean exactly.. could you please give me a simple example for > > this? .. > > thanks a lot in advance > > ...[rules]... > # If the source IP is in 172.16.2.240/29, jump to a user defined chain. > $ipt -A INPUT -s 172.16.2.240/29 -j MAC-CHECK > ...[other rules]... > > # User defined chain. > # RETURN to built-in chain INPUT if the MAC address matches > # Otherwise, DROP the packet > > $ipt -N MAC-CHECK > $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:6d:0a:3e -j RETURN > $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:61:14 -j RETURN > $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:62:29 -j RETURN > $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:63:ba -j RETURN > $ipt -A MAC-CHECK -j DROP > I tried it .. but all traffic 172.16.2.240/29 will be dropped although it has valid Mac Address.. could you please advise ..what should I check? Regards Winanjaya
