iptables don't block MAC address

loux.thefuture · Tux's lil' helper Joined: 15 Nov 2005 Posts: 135

Hello,
i'm trying to block a host (games: ip:x.12, mac:00:0E:A6:4C:87:DB ) on my lan from having an IP adress from my firewall(x.1) by DHCP, so above shorewall (which allows lan's computer to acquire an ip from my firewall) i add :
iptables -I INPUT -m mac --mac-source 00:0E:A6:4C:87:DB -j DROP
so i think this will add this rule before every others and directly drop all packets from this mac address,
but my computer (games) continue to obtain a response from my firewall
how can i do it ?
is it normal that my computer (games) get answer from my firewall ?
help me please
loux
_________________
"So long and thanks for all the fishs !"

jvale · Posted: Sun Jul 23, 2006 9:56 am Post subject:

Does your kernel have support for MAC address matching?

(In my 2.6.16-gentoo-r13 it's in Networking -> Networking Options -> Network packet filtering -> Core Netfilter Configuration -> "mac" address match support )

loux.thefuture · Tux's lil' helper Joined: 15 Nov 2005 Posts: 135

Hello,
thanks to reply,
yes i think my kernel has support for MAC adress matching, because the computer games can no longuer surf to web via the firewall, or connect to it by ssh,
so iptables DROP all the packets except those for DHCP !
my modules (hardened kernel) :
<-
Module Size Used by
xt_mac 534 -
xt_pkttype 396 -
iptable_raw 384 -
xt_CLASSIFY 668 -
xt_physdev 776 -
ipt_TTL 757 -
ipt_ttl 445 -
ipt_TOS 716 -
ipt_tos 332 -
ipt_TCPMSS 1876 -
ipt_SAME 696 -
ipt_REJECT 2225 -
ipt_REDIRECT 564 -
ipt_recent 5855 -
ipt_policy 1454 -
ipt_owner 619 -
ipt_NETMAP 536 -
ipt_multiport 936 -
ipt_MASQUERADE 766 -
ipt_LOG 3794 -
ipt_iprange 436 -
ipt_hashlimit 3908 -
ipt_esp 456 -
ipt_ECN 1286 -
ipt_ecn 630 -
ipt_DSCP 698 -
ipt_dscp 344 -
ipt_ah 460 -
ipt_addrtype 455 -
ip_nat_irc 592 -
ip_nat_tftp 305 -
ip_conntrack_irc 2451 -
ip_conntrack_tftp 1295 -
iptable_nat 3633 -
iptable_filter 584 -
via686a 7539 -
eeprom 2326 -
i2c_isa 1160 -
i2c_viapro 3937 -
i2c_core 8180 -
ip_nat_ftp 1004 -
ip_nat 7821 -
ip_conntrack_ftp 3158 -
iptable_mangle 707 -
ip_tables 5944 -
xt_connmark 412 -
xt_conntrack 808 -
xt_state 436 -
ip_conntrack 24080 -
xt_tcpudp 1408 -
x_tables 4512 -
tun 4618 -
3c59x 25648 -
->
and cat .config | grep 'mac' :
CONFIG_NETFILTER_XT_MATCH_MAC=m
# CONFIG_HAMACHI is not set
CONFIG_CRYPTO_HMAC=y
loux
_________________
"So long and thanks for all the fishs !"

ronaldmoes · n00b Joined: 03 Oct 2003 Posts: 48

This is probably because your dhcp server uses a packet filter to receive dhcp traffic instead of the normal ip socket calls and thus bypasses the firewall. You can add a host specific configuration to your dhcp.conf file like this:

loux.thefuture · Tux's lil' helper Joined: 15 Nov 2005 Posts: 135

Hello,
ok this answer put a light on my trouble,
so net-misc/dhcp use a packet filter instead of normal ip socket,
so i can't block it with shorewall ? so shorewall blacklist doesn't work for bootp or dhcp request !
and i have to block the iptable output chain or change my dhcp server configuration,
hey : i look at iptables and there is no option to block mac address on the output chain ! there is just a mac-source option !
so how to use iptables to block output packet based on mac-destination ?
ok
thanks
loux
_________________
"So long and thanks for all the fishs !"

Janne Pikkarainen · Posted: Mon Jul 24, 2006 7:39 am Post subject:

Hmm. I wonder what is the default parameter for iptables -p switch (=should the match take care of tcp, udp or both) -- is it tcp or all? If it's tcp and DHCP goes over UDP, then that's the reason and the fix would be

loux.thefuture · Tux's lil' helper Joined: 15 Nov 2005 Posts: 135

Hello,
what we observe is that dhcp server don't use normal ip socket (to catch broadcast packet i think) so shorewall won't block packet for dhcp whatever I make, i'm tryng ebtables (which works on the level 2 of the OSI model) but i don't think it will work either
loux
_________________
"So long and thanks for all the fishs !"