View previous topic :: View next topic |
Author |
Message |
JujuBickoille n00b
Joined: 20 Apr 2010 Posts: 15
|
Posted: Sat Jun 22, 2013 2:34 am Post subject: IPSet + IPtables MAC Address filter |
|
|
Hello everybody,
I wish to make a filter on my network with mac address.
I got 2 ways :
iptables -t filter -A INPUT -i ${WIFI_IFACE} -m mac ! --mac 00:17:00:AA:00:AA -j DROP
It's nice and it work, but I wish use ipset with macipmap, because I think it's better when you got multiple mac to filter, so I've make it :
# Flush time
iptables -t filter -F
ipset -X grantedmac
# Add my allowed mac
ipset -N grantedmac bitmap:ip,mac --network 192.168.1.0/24
ipset add lan_clients 192.168.1.12,00:17:00:AA:00:AA
# Filter other
iptables -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src -j LOG --log-prefix "Not Granted MAC "
It seem to be easy, but it don't work :
When I try to connect with my granted computer, I got the message. If I connect ungranted, I got message same
[ 997.157185] Not Granted MAC IN=wlan0 OUT= MAC=00:17:00:aa:00:aa:00:41:f4:8b:0e:53:08:00 SRC=192.168.1.12 DST=192.168.1.4 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=65149 DF PROTO=TCP SPT=22 DPT=36719 WINDOW=384 RES=0x00 ACK PSH URGP=0
I don't know where I'm wrong, maybe someone got ideas
Thank you so much in advance
Best regards
JujuBickoille |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Sun Jun 23, 2013 3:27 am Post subject: |
|
|
You are adding your data to some ipset named "lan_clients", but the ipset you are matching against is named "grantedmac". _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
JujuBickoille n00b
Joined: 20 Apr 2010 Posts: 15
|
Posted: Sat Aug 31, 2013 3:40 pm Post subject: |
|
|
Okay, I've found why it doen't work :
${IPTABLES} -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src,src -j LOG --log-prefix "FORBIDDEN MAC "
you need to set "src,src" in place of "src" only |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|