Nick Khamis wrote:
The MAC address is only used on local links. The MAC address of a packet
arriving at your firewall or perimeter router is that of the router at the
other (ISP) end of your link.
Our client application adds a P-Assertion to the SIP message
indicating the mac of
the requesting client. Now, I am not sure how we can tie that into
"--src" of IPTables.
If you need to capture embedded MAC addresses in that header you would
need to analyse the SIP packet - not a trivial thing to do by any means.
Even then, what's stopping, say, an adversary from crafting a packet
with a "legitimate" MAC address embedded in that header.
Even if you match IP and MAC addresses together, that won't be 100%
secure as these could be easily forged.
Since your clients are using an application you provide, why don't you
secure the signalling using PKI - that way you could distribute a
certificate with the client. The server on your side of the connection
won't accept it unless a secure handshake has been established - job done.
OK, that won't prevent you from somebody ddos-ing you, but you could
easily protect yourself from this using standard iptables tools.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
