1 |
James wrote: |
2 |
> Hello, |
3 |
> |
4 |
> Continuing my quest for iptables enlightenment....I have a question |
5 |
> about 'mac address' syntax. All options for mac and arp have been compiled |
6 |
> into a gentoo-hardened kernel. |
7 |
> |
8 |
> I'm using variations of this syntax in my script. |
9 |
> |
10 |
> # Rule to only allow ssh by MAC address |
11 |
> iptables -A INPUT -i eth0 -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx \ |
12 |
> --source-port 1024:65535 -d <ip.address> --dport 22 -j ACCEPT |
13 |
> |
14 |
> Where the mac address xx...xx is the system allowed in, via ssh |
15 |
> and the ip.address is that of the destination (/24 based) host |
16 |
> The rule works well when packets have to traverse |
17 |
> a firewall/router as mac addresses do not get propagated (I think). |
18 |
> |
19 |
> However, when I use similar syntax to prevent a system on the same |
20 |
> local (ethernet) segment from being able to ssh into a local system, |
21 |
> it does prevent ssh access, as expected. Granted MAC addresses |
22 |
> can be foiled, especially on the same segment, but how do I make this |
23 |
> rule work?: On a local segemnt how would I modify the syntax so |
24 |
> that only a select machine (maybe IP + MAC) could access a host, |
25 |
> running iptables, via ssh? |
26 |
> |
27 |
> thoughts and ideas are most welcome. |
28 |
> |
29 |
> James |
30 |
> |
31 |
> |
32 |
> |
33 |
> |
34 |
> |
35 |
> |
36 |
|
37 |
The rule you give in the example seems correct to me. I can imagine 2 |
38 |
reasons because of which its not working for you. |
39 |
First this rule ends with "ACCEPT" - it allows, does not forbid access. |
40 |
The second reason is that there could be some other rules which take |
41 |
precedence before a packet meets the rule in question and it obeys those |
42 |
preceding rules. |
43 |
|
44 |
-- |
45 |
Best regards, |
46 |
Daniel |
47 |
|
48 |
|
49 |
-- |
50 |
gentoo-user@g.o mailing list |