James wrote: > Hello, > > Continuing my quest for iptables enlightenment....I have a question > about 'mac address' syntax. All options for mac and arp have been compiled > into a gentoo-hardened kernel. > > I'm using variations of this syntax in my script. > > # Rule to only allow ssh by MAC address > iptables -A INPUT -i eth0 -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx \ > --source-port 1024:65535 -d <ip.address> --dport 22 -j ACCEPT > > Where the mac address xx...xx is the system allowed in, via ssh > and the ip.address is that of the destination (/24 based) host > The rule works well when packets have to traverse > a firewall/router as mac addresses do not get propagated (I think). > > However, when I use similar syntax to prevent a system on the same > local (ethernet) segment from being able to ssh into a local system, > it does prevent ssh access, as expected. Granted MAC addresses > can be foiled, especially on the same segment, but how do I make this > rule work?: On a local segemnt how would I modify the syntax so > that only a select machine (maybe IP + MAC) could access a host, > running iptables, via ssh? > > thoughts and ideas are most welcome. > > James > > > > > >
The rule you give in the example seems correct to me. I can imagine 2 reasons because of which its not working for you. First this rule ends with "ACCEPT" - it allows, does not forbid access. The second reason is that there could be some other rules which take precedence before a packet meets the rule in question and it obeys those preceding rules. -- Best regards, Daniel -- [email protected] mailing list
