-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wakko Warner : > Bo Yang wrote: >> Wakko Warner : >>> Bo Yang wrote: >>>> MAC address is some concept in the link layer , so how do >>>> you get the packet sender mac if the packet is routed to your >>>> box through some other routers ? >>> I understand. However, the machine I was using for this was directly >>> connected to both system. There were no other routers. >>> >>> Take this for instance: >>> >>> Box A -> (eth1)firewall/router(eth0) -> Box B >>> >>> firewall/router does not trust eth1 and uses MAC addresses to allow access, >>> so it does this: >>> -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC >>> -I FORWARD -j DROP -i eth1 >>> >>> firewall/router knows the mac of both box a and b (obviously, box a doesn't >>> know box b's mac and vice versa). Consider the above the only rules in the >>> firewall and box A and B have no rules at all. >>> >>> Box A pings Box B and fails. The reason is the mac test above is >> seeing the >>> MAC of eth0, not of Box A. >>> >>> This is what I'm referring to and I had to add a MARK rule in PREROUTING to >>> mark packets that I want to allow and then allow in the forward chain based >>> upon the mark. >>> >> I think when the packet is in the FORWARD chain , the routing must >> have been affect the packet , so that >> is the reason why you see the eth0 mac in the rule . > > Yes, and the reason I wanted to request that it not be allowed to match in > the FORWARD chain (or have a note in the man page about this) > >> You can just add a rule in the PREROUTING chain in the mangle table , >> and DROP the packat you don't >> want there . Why you must mark it first , and then drop it in another >> chain ? > > Actually, I was tinkering and using MARK was the first thing that came to > mind. After thinking about it, I think the best place would be in > nat/PREROUTING (since nat is already loaded on the firewall machine). I do > not need mangle at all if I'm not marking. At the time, I didn't think the > filtering place should be in the mangle or nat tables, afterall, that is > what the filter table is for =) > > In the nat/PREROUTING chain, are all incoming packets passed through this or > just the initial packets? Yes , I think so . > In my current setup, I have br0 (eth0 and some > vpns) that are routed through ppp0 to get to the internet. eth1 is > connected to a wireless ap and I do not want ANY access from anything on > that network except ICMP, VPN, and the web/snmp port to the WAP (I need a GUI > browser to configure the thing and the firewall has no GUI installed which > is why I am using forwarding). On eth1, I only allow specific MACs to > be able to connect at all. > > I do appreciate the idea to block in the prerouting chain instead of marking > then blocking. It is up to you ! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFPciu7tZp58UCwyMRAp6EAJ9q/sqxoqDoUU1GhruoxrXNM0ldzACgzQLm 95PI7qRc3wr6+ebSnAwTaqs= =Ay2C -----END PGP SIGNATURE-----
