Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] iptables: block long spoofed MAC
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
huuan
Apprentice
Apprentice


Joined: 19 Feb 2007
Posts: 265
Location: California
PostPosted: Tue Feb 19, 2008 11:23 am    Post subject: [SOLVED] iptables: block long spoofed MAC Reply with quote
I'm trying to drop the scans from our local net ops security so they don't fill up the server log.

I enabled MAC address filtering but net ops seems to use a fake MAC which is longer than normal and as a result iptables doesn't match it.
The only thing common with the net ops scans is the MAC as they use a variety of random source IP addresses and ports.

Here's a typical firewall log entry when they scan:

Code:
Feb 19 03:06:15 MyHost Dropped by default (INPUT):IN=eth0 OUT= MAC=00:15:c5:f6:f9:f0:00:90:92:ab:ec:00:08:00 SRC=x.x.x.x DST=y.y.y.y LEN=48 TOS=0x00 PREC=0x00 TTL=61 ID=20876 DF PROTO=TCP SPT=60206 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0


I tried this but it doesn't match:
$IPTABLES -A INPUT -m mac --mac-source 00:15:c5:f6:f9:f0 -j DROP

and this produces an error 'bad mac address'
$IPTABLES -A INPUT -m mac --mac-source 00:15:c5:f6:f9:f0:00:90:92:ab:ec:00:08:00 -j DROP

So how to filter based on that MAC, anyone? Or some other way?

Last edited by huuan on Fri Jul 31, 2009 12:38 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23093
PostPosted: Wed Feb 20, 2008 12:25 am    Post subject: Reply with quote
After a bit of analysis, it appears that the kernel prints the entire Ethernet header and calls it MAC. Therefore, you get the MAC address of the recipient, the MAC address of the sender, and the 16 bit protocol (08:00 = IPv4) in the field labeled MAC. Try writing your rule to match 00:90:92:ab:ec:00, since that is the sending MAC address according to the sample you posted.
Back to top
View user's profile Send private message
huuan
Apprentice
Apprentice


Joined: 19 Feb 2007
Posts: 265
Location: California
PostPosted: Wed Feb 20, 2008 3:00 am    Post subject: Reply with quote
A message like yours is why I love Gentoo. The support here is awesome!

Thanks for the insight. I've updated my iptables script and restarted the firewall, it should be really obvious by tomorrow if it worked (which I expect it will). I'll report the success here tomorrow. You rule.

Thanks

[edit] Feb 20,2008: Works a treat, thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy