On Wed, October 5, 2005 09:52, Winanjaya - PBXSoftwares wrote: >> ...[rules]... >> # If the source IP is in 172.16.2.240/29, jump to a user defined >> chain. >> $ipt -A INPUT -s 172.16.2.240/29 -j MAC-CHECK >> ...[other rules]... >> >> # User defined chain. >> # RETURN to built-in chain INPUT if the MAC address matches >> # Otherwise, DROP the packet >> >> $ipt -N MAC-CHECK >> $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:6d:0a:3e -j RETURN >> $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:61:14 -j RETURN >> $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:62:29 -j RETURN >> $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:63:ba -j RETURN >> $ipt -A MAC-CHECK -j DROP > > I tried it .. but all traffic 172.16.2.240/29 will be dropped > although it has valid Mac Address.. could you please advise ..what > should I check? As /dev/rob0 mentioned : are you sure that the PC's that you want to check the MAC address from are on the same physical ethernet segment ? If not then you won't be able to match the MAC address. You may want to check with this : $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:6d:0a:3e -j LOG \ --log-prefix "MAC1: " $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:6d:0a:3e -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:61:14 -j LOG \ --log-prefix "MAC2: " $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:61:14 -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:62:29 -j LOG \ --log-prefix "MAC3: " $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:62:29 -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:63:ba -j LOG \ --log-prefix "MAC4: " $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:63:ba -j RETURN See if you get any logging. If not, the MAC addresses do not match. Gr, Rob
