Gentoo Archives: gentoo-user

From: Hans-Werner Hilse <hilse@×××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] OT: iptables mac filtering
Date: Wed, 09 Aug 2006 20:22:58
In Reply to: [gentoo-user] OT: iptables mac filtering by James
1 Hi,
3 On Wed, 9 Aug 2006 18:54:45 +0000 (UTC)
4 James <wireless@×××××××××××.com> wrote:
6 > Where the mac address xx...xx is the system allowed in, via ssh
7 > and the ip.address is that of the destination (/24 based) host
8 > The rule works well when packets have to traverse
9 > a firewall/router as mac addresses do not get propagated (I think).
11 No, of course not. The incoming packet will have the MAC of the router
12 instead. Only ethernet frames carry a MAC, so there's no MAC in IP
13 tunnels, too.
15 > However, when I use similar syntax to prevent a system on the same
16 > local (ethernet) segment from being able to ssh into a local system,
17 > it does prevent ssh access, as expected. Granted MAC addresses
18 > can be foiled, especially on the same segment, but how do I make this
19 > rule work?: On a local segemnt how would I modify the syntax so
20 > that only a select machine (maybe IP + MAC) could access a host,
21 > running iptables, via ssh?
23 Hm, by adding "-s <source IP>"? And of course, you need to change
24 INPUT's policy to REJECT or DROP, using iptables -P INPUT DROP. Note
25 that you probably want some rules allowing traffic local on that
26 machine, so also allow packets coming from "lo".
28 But you already mentioned it: There's not much point in blocking access
29 this way since MAC addresses can as well be spoofed as IP addresses.
30 Are you suffering from DOS attacks on your SSH server?
32 -hwh
33 --
34 gentoo-user@g.o mailing list