| View previous topic :: View next topic |
| Author |
Message |
cold_flame
Tux's lil' helper
Joined: 23 Jun 2003
Posts: 88
Location: Australia
|
 Posted: Tue Jun 22, 2004 2:38 am Post subject: blocking mac addresses |
 |
|
hi folks,
just a question about securing my box,
recently i keep being port scanned by a certain client, but they are spoofing the address so that i cant block them specifically. however i have noteced that the mac address stays the same for each one
my question is does that mac address correspond to a certain computer/connection at the other end, and if so, how do i block it.
the man pages for iptables say that i can, but only with a 6 part MAC address, whereas this one has 14 fields (although the first 6 correspond to my internet device (tap0))
thanks.
00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00 |
|
| Back to top |
|
 |
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Tue Jun 22, 2004 3:03 am Post subject: Re: blocking mac addresses |
|
|
| cold_flame wrote: |
recently i keep being port scanned by a certain client, but they are spoofing the address so that i cant block them specifically. however i have noteced that the mac address stays the same for each one. |
The mac address can also be spoofed.
| cold_flame wrote: | | my question is does that mac address correspond to a certain computer/connection at the other end, and if so, how do i block it. |
Unless it's being spoofed, yes there's supposed to be one mac address unique each interface.
| cold_flame wrote: | | the man pages for iptables say that i can, but only with a 6 part MAC address, whereas this one has 14 fields (although the first 6 correspond to my internet device (tap0)) |
My man iptables says: | Code: | mac
--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
coming from an Ethernet device and entering the PREROUTING, FOR-
WARD or INPUT chains. |
Therefore, doing something like this: | Code: | | iptables -A INPUT -i tap0 -m mac --mac-source "00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00" -j DROP |
should block input on one interface from him.
On the other hand, if all your inputs are blocked anyway, the loser can scan all he wants to no avail. |
|
| Back to top |
|
|
smart
Guru
Joined: 19 Nov 2002
Posts: 455
|
| Posted: Tue Jun 22, 2004 5:15 am Post subject: |
|
|
| Quote: |
--mac-source "00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00"
|
The guy from Mc D... would say, it's not just a Big MAC, it's a cheeseburger.  |
|
| Back to top |
|
|
adelante
Tux's lil' helper
Joined: 19 Apr 2003
Posts: 133
Location: South Africa - Johannesburg
|
| Posted: Sat Jul 10, 2004 8:39 am Post subject: |
|
|
Is it possible to do a MASQUERADE rule with Mac Address?
if so, how would I go about getting this right? |
|
| Back to top |
|
|
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Sat Jul 10, 2004 4:03 pm Post subject: |
|
|
| adelante wrote: | | Is it possible to do a MASQUERADE rule with Mac Address? |
| Code: | man iptables
mac
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains. |
MASQUERADING is on the POSTROUTING chain, therefore this match isn't recommended for use. |
|
| Back to top |
|
|
cold_flame
Tux's lil' helper
Joined: 23 Jun 2003
Posts: 88
Location: Australia
|
| Posted: Sat Jul 10, 2004 5:47 pm Post subject: Re: blocking mac addresses |
|
|
[snip]
| spudicus wrote: |
| cold_flame wrote: | | the man pages for iptables say that i can, but only with a 6 part MAC address, whereas this one has 14 fields (although the first 6 correspond to my internet device (tap0)) |
|
[/snip]
[snip]
| spudicus wrote: |
| Code: | mac
--mac-source [!] address
Match source MAC address. It [b]must be of the form
XX:XX:XX:XX:XX:XX. [/b] Note that this only makes sense for packets
coming from an Ethernet device and entering the PREROUTING, FOR-
WARD or INPUT chains. |
Therefore, doing something like this: | Code: | | iptables -A INPUT -i tap0 -m mac --mac-source "00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00" -j DROP |
should block input on one interface from him.
|
[/snip]
ummm.. this is a 14 part mac address.
| spudicus wrote: |
On the other hand, if all your inputs are blocked anyway, the loser can scan all he wants to no avail. |
thanx for the info spudicus, but it sort of doesn't help me, because that command contains a 14 part mac addres, not the 6 part one that iptables wants. iptalbes returns
| Code: |
mathmos root > iptables -A INPUT -i tap0 -m mac --mac-source "00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00" -j DROP
iptables v1.2.11: Bad mac address `00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00'
Try `iptables -h' or 'iptables --help' for more information.
|
thx in advance |
|
| Back to top |
|
|
affinity
n00b
Joined: 01 Jul 2004
Posts: 66
|
| Posted: Sat Jul 10, 2004 9:58 pm Post subject: |
|
|
| 00:ff:d1:fe:aa:eb:00:90:1a:40:38:73:08:00 = <dst mac>:<src mac>:<ethertype> |
|
| Back to top |
|
|
|
Networking & Security
