Hi, First, thank you for your response. I try without the NEW state match in the LOG rules but the only log message I get is still the "WithoutMAC" one.
Sylvain > -----Message d'origine----- > De : Ramin Alidousti [mailto:[EMAIL PROTECTED]] > Envoye : vendredi 19 avril 2002 15:39 > A : Lepage Sylvain > Cc : [EMAIL PROTECTED] > Objet : Re: mac match question > > > Is it not because of the NEW state in the second and third rule? > Once the first rule matches then the conntrack entry gets created > for that connection which makes it an ESTABLISHED for the second > and third rule. Try this: > > --1-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 \ > --syn -j LOG --log-prefix "WithoutMAC" > > --2-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 \ > --syn -m mac --mac-source CL:IE:NT:00:00:00 -j LOG > --log-prefix \ > "WithMAC" > > --3-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 \ > --syn -m mac --mac-source CL:IE:NT:00:00:00 -j ACCEPT > > and see what happens. And of course, let us know. > > Ramin > > > On Fri, Apr 19, 2002 at 03:18:35PM +0200, Lepage Sylvain wrote: > > > Hi, > > > > I try to use the mac match to filter packets but there must > be something I > > am misunderstanding. I just want to make a LAN telnet > connection to my > > firewall box and I have the next setup: > > > > telnet client : IP 10.0.0.12 > > MAC CL:IE:NT:00:00:00 > > > > telnet server: IP 10.0.0.14 > > MAC SE:RV:ER:00:00:00 > > > > iptables 1.2.5 running on the telnet server, kernel 2.4.8 > > with a service-request user chain defined as follow > > > > --1-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 -m > > state --state NEW -j LOG --log-prefix "WithoutMAC" > > > > --2-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 -m > > state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j > LOG --log-prefix > > "WithMAC" > > > > --3-- iptables -A service-request -p tcp --sport 1024:65535 > --dport 23 -m > > state --state NEW -m mac --mac-source CL:IE:NT:00:00:00 -j ACCEPT > > > > > > When I try to telnet I obtain only the log below: > > > > "WithoutMAC" IN=eth2 OUT= > MAC=SE:RV:ER:00:00:00:CL:IE:NT:00:00:00:08:00 > > SRC=10.0.0.12 DST=10.0.0.14 LEN=48 TOS=0x00 PREC=0x00 > TTL=128 ID=27649 DF > > PROTO=TCP SPT=3224 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 > > > > The LOG WithMAC doesn't appear and the telnet connection fails > > > > Does someone know why my rules with the mac adress are not > matched by the > > telnet incoming packet ? > > > > Thanks in advance > > > > ___________________________________ > > > > Sylvain LEPAGE > > LEA > > 52 / 54 rue du capitaine Guynemer > > 92415 - Courbevoie, FRANCE > > T: +33 1 49 97 05 38 > > F: +33 1 49 97 05 31 > > e-mail : [EMAIL PROTECTED] > > ___________________________________ > > > > > > >
