Michael P. Brininstool wrote: > I think you are doing this the hard way. This is what I do and it works > just fine > (MAC's altered, I control eth[0134] via physical access security i.e. locked > room): > > =============================================== > -A FORWARD -i eth2 -j macchk > ... > =============================================== > -A macchk -m mac --mac-source 00:xx:xx:xx:8F:FD -j RETURN > ... > -A macchk -m mac --mac-source 00:xx:xx:xx:8C:B6 -j RETURN > -A macchk -j logmac > =============================================== > -A logmac -j LOG --log-prefix "PACKET_FROM_MAC_DROPPED " > -A logmac -j DROP > =============================================== > > Remove first line of FORWARD (shown above) to remove the restrictions. > > I have a program generate macchk whenever the database of allowed machines > changes. It does this by removing the reference to macchk in the forward > change, flushing the macchk chain, rebuilding it (with the logmac reference > on the end, and it re-inserts the reference to macchk at beginning of > FORWARD. I tried something almost exactly the same, except it was in the filter table. it simply did not work and the MAC source that was actually tested was that of the outgoing interface (verified when I added a rule testing the mac of the outgoing interface). I want it blocked at both incoming to the local machine and being routed depending on what is used. There is no locked room per se. In the filter table: I first test the incoming interface in both FORWARD and INPUT, if it's eth1, jump to the mac testing chain. In that chain, if the mac is an allowed one, jump to the ip testing chain, if that packet is allowed, accept. the next line of FORWARD and INPUT is a jump to DROP (testing for eth1 again). That is exactly what I want. Your example is more permissive than mine. Instead of using filter/INPUT and filter/FORWARD, either nat/PREROUTING or mangle/PREROUTING with the same rules should handle what I want w/o testing in both INPUT and FORWARD since at the PREROUTING stage, it has not determined where the packet will be going. I just do not know if nat/PREROUTING is traversed every time a packet comes in, or if it only is traversed on the initial packet of a connection (Probably doesn't matter though)
