On Friday 19 April 2002 2:18 pm, Lepage Sylvain wrote: > --1-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m > state --state NEW -j LOG --log-prefix "WithoutMAC" > > --2-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m > state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j LOG --log-prefix > "WithMAC" > > --3-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m > state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j ACCEPT > > "WithoutMAC" IN=eth2 OUT= MAC=SE:RV:ER:00:00:00:CL:IE:NT:00:00:00:08:00 > SRC=10.0.0.12 DST=10.0.0.14 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=27649 DF > PROTO=TCP SPT=3224 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 > > The LOG WithMAC doesn't appear and the telnet connection fails > > Does someone know why my rules with the mac adress are not matched by the > telnet incoming packet ?
Is it because you can only have one "-m xxxxx" in a rule, and you have both "-m state" and "-m mac" in the second and third rules ? I don't *know* that this is not allowed, but I just wonder... Try taking the "-m state --state NEW" out of the second & third rules and see what happens ? Antony.
