1 |
Hello, |
2 |
|
3 |
Continuing my quest for iptables enlightenment....I have a question |
4 |
about 'mac address' syntax. All options for mac and arp have been compiled |
5 |
into a gentoo-hardened kernel. |
6 |
|
7 |
I'm using variations of this syntax in my script. |
8 |
|
9 |
# Rule to only allow ssh by MAC address |
10 |
iptables -A INPUT -i eth0 -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx \ |
11 |
--source-port 1024:65535 -d <ip.address> --dport 22 -j ACCEPT |
12 |
|
13 |
Where the mac address xx...xx is the system allowed in, via ssh |
14 |
and the ip.address is that of the destination (/24 based) host |
15 |
The rule works well when packets have to traverse |
16 |
a firewall/router as mac addresses do not get propagated (I think). |
17 |
|
18 |
However, when I use similar syntax to prevent a system on the same |
19 |
local (ethernet) segment from being able to ssh into a local system, |
20 |
it does prevent ssh access, as expected. Granted MAC addresses |
21 |
can be foiled, especially on the same segment, but how do I make this |
22 |
rule work?: On a local segemnt how would I modify the syntax so |
23 |
that only a select machine (maybe IP + MAC) could access a host, |
24 |
running iptables, via ssh? |
25 |
|
26 |
thoughts and ideas are most welcome. |
27 |
|
28 |
James |
29 |
|
30 |
|
31 |
|
32 |
|
33 |
|
34 |
-- |
35 |
gentoo-user@g.o mailing list |