Re: mac match question

Fri, 19 Apr 2002 06:23:32 -0700 

Is it not because of the NEW state in the second and third rule?
Once the first rule matches then the conntrack entry gets created
for that connection which makes it an ESTABLISHED for the second
and third rule. Try this:

--1-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 \
      --syn -j LOG --log-prefix "WithoutMAC"

--2-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 \
      --syn -m mac --mac-source CL:IE:NT:00:00:00 -j LOG --log-prefix  \
      "WithMAC"

--3-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 \
      --syn -m mac --mac-source CL:IE:NT:00:00:00 -j ACCEPT

and see what happens. And of course, let us know.

Ramin


On Fri, Apr 19, 2002 at 03:18:35PM +0200, Lepage Sylvain wrote:

> Hi,
> 
> I try to use the mac match to filter packets but there must be something I
> am misunderstanding. I just want to make a LAN telnet connection to my
> firewall box and I have the next setup:
> 
> telnet client :       IP      10.0.0.12
>               MAC     CL:IE:NT:00:00:00
> 
> telnet server:        IP      10.0.0.14
>               MAC     SE:RV:ER:00:00:00
> 
> iptables 1.2.5 running on the telnet server, kernel 2.4.8
> with a service-request user chain defined as follow
> 
> --1-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m
> state --state NEW -j LOG --log-prefix "WithoutMAC"
> 
> --2-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m
> state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j LOG --log-prefix
> "WithMAC"
> 
> --3-- iptables -A service-request -p tcp --sport 1024:65535 --dport 23 -m
> state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j ACCEPT
> 
> 
> When I try to telnet I obtain only the log below:
> 
> "WithoutMAC" IN=eth2 OUT= MAC=SE:RV:ER:00:00:00:CL:IE:NT:00:00:00:08:00
> SRC=10.0.0.12 DST=10.0.0.14 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=27649 DF
> PROTO=TCP SPT=3224 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> 
> The LOG WithMAC doesn't appear and the telnet connection fails
> 
> Does someone know why my rules with the mac adress are not matched by the
> telnet incoming packet ?
> 
> Thanks in advance
> 
>     ___________________________________
> 
>       Sylvain LEPAGE
>       LEA
>       52 / 54 rue du capitaine Guynemer
>       92415 - Courbevoie, FRANCE
>       T: +33 1 49 97 05 38
>       F: +33 1 49 97 05 31
>       e-mail : [EMAIL PROTECTED]
>     ___________________________________
> 
> 
>

Reply via email to