Hi Graham, I gave the AIF mac-address-filter plugin a go, and it works perfectly for me.
First, use: MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" as I suggested in the plugin. (just good advice, not your problem) Also, with the default: MAC_ADDRESS_LOG=1 Any packets blocked will be logged to syslog, so this will greatly help your debugging. All I can imagine is you don't have the correct MAC addresses defined in the file. Lonnie PS: another diagnostic, after you try to make connections, post (or send me privately) the output of the following... $ iptables -nvL MAC_FILTER (Obscure the lower half of the MAC addresses when posting for your privacy, ie. 00:11:22:xx:xx:xx) On Nov 25, 2010, at 5:07 AM, Graham S. Jarvis wrote: > Thanks Lonnie, > > the conf file is the same as the GUI loads and points to a file that exists > and is readable. > > As an "aside" it looks like the allowed mac address file can have comments > i.e. > > 00:11:22:33:44:55 #PC 1 > 00:11:22:33:44:56 #PC 2 > 00:11:22:33:44:57 #PC 3 > > Which is very useful. > > I still get > . . . . > Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... > MAC Address Filter plugin v1.0c > Loaded kernel module ipt_mac. > Using interface(s): eth2 > (Re)loading allowed internal MAC addresses from > /mnt/kd/arno-iptables-firewall/plugins/mac-address-allow: 5 loaded > Adaptive Ban plugin v1.00 BETA (EXPERIMENTAL!) > Adaptive Ban - Whitelisting INTERNAL net(s): 192.168.7.0/24 192.168.207.0/24 > File=/var/log/messages Time=120 Count=6 Types=sshd asterisk > Loaded 2 plugin(s)... > . . . > in the '/etc/init.d/iptables restart' output with or without the comments at > the end of the line after the mac. > (I moved the mac-address-allow file) > And the result is the same - no access to the web i/f on 192.168.7.0 from a > PC on 192.168.207.0 > > Thanks, > > -Graham- > > > Lonnie Abelbeck wrote on 23/11/2010 22:05: >> Graham, >> >> I never use the mac-address-filter plugin, so I will have to play with it >> myself... I'll have to get back to you later. >> >> Double check your >> "/mnt/kd/arno-iptables-firewall/plugins/mac-address-filter.conf" file to >> make sure it is correct, particularly the variable: >> MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" >> >> Lonnie >> >> >> On Nov 23, 2010, at 1:16 PM, Graham S. Jarvis wrote: >> >> >>> Hello Lonnie, >>> >>> Can you explain this: >>> >>> When the mac-address-filter plugin is disabled I can connect from a PC on >>> lan2 >>> (eth2) to the web interface of snom phones on lan1 (eth1). >>> When the plugin is enabled I can't any more even though I put the mac addr >>> of >>> the PC, eth2 and eth1 (both - just to be sure) into the allow-mac-addresses >>> file. >>> Also SSH access from eth2 to eth1 is blocked. Luckily I can still get http >>> and >>> SSH access to the eth2 address to turn the plugin off again. >>> >>> It's as if running the plugin negates the switch to allow traffic between >>> the >>> two interfaces (where is that switch - I forgot). >>> Could there be a rule order "issue" or am I missing something more obvious? >>> >>> Thanks, >>> >>> -Graham- >>> >>> >>> Lonnie Abelbeck wrote on 11/11/2010 16:45: >>> >>>> Graham, >>>> >>>> There has been a long standing typo in Arno's Firewall comment for the >>>> mac-address-filter plugin. In the next AIF version fixes it and it now >>>> reads: >>>> -- >>>> # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) >>>> # >>>> ------------------------------------------------------------------------------ >>>> MAC_ADDRESS_IF="$INT_IF" >>>> -- >>>> ie, it apples to ALL traffic, so if you defined... >>>> >>>> MAC_ADDRESS_IF="eth2" >>>> >>>> MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" >>>> >>>> and created "/mnt/kd/allow-mac-addresses" as a list of allowed MAC >>>> addresses for eth2, ie: >>>> -- >>>> 00:11:22:33:44:55 >>>> 00:11:22:33:44:56 >>>> 00:11:22:33:44:57 >>>> -- >>>> >>>> Give it a try (I have not played with that plugin). Keep in mind that >>>> there will be periodic maintenance to such a filter. >>>> >>>> Lonnie >>>> >>>> >>>> >>>> On Nov 11, 2010, at 3:03 AM, Graham S. Jarvis wrote: >>>> >>>> >>>>> Hello All, >>>>> >>>>> As if you haven't been hearing enough from me recently - here another >>>>> "nearly >>>>> newbie" question: >>>>> >>>>> I want to stop people on one of my interfaces (you guessed it - >>>>> eth2/lan2) from >>>>> connecting to the Ethernet outside of office hours. >>>>> I don't know if it would be better to block by IP or MAC - Most users are >>>>> using >>>>> DHCP so I could block the whole dhcp-range. But at least one user knows >>>>> what >>>>> they are doing and could reset their PC with a fixed IP. I would notice >>>>> if this >>>>> happens but in order to block them again I would be chasing them through >>>>> the >>>>> network and at some point they are going to pick an IP that conflicts with >>>>> something important. With the MAC I know which PC/User it is and "basta" >>>>> they >>>>> are blocked. >>>>> >>>>> I thought one way to do this is set up the mac-address-filter firewall >>>>> plugin >>>>> and then have a cron job to switch the mac-address file and restart the >>>>> firewall. >>>>> >>>>> So my questions are: >>>>> >>>>> 1. What does this mean: >>>>> # Specify here the port(s) you want to SSH checks to apply to >>>>> # >>>>> ------------------------------------------------------------------------------ >>>>> MAC_ADDRESS_IF="$INT_IF" >>>>> >>>>> "... you want to SSH checks to apply to" ??? >>>>> Why SSH? >>>>> Does this plugin _only_ stop SSH? >>>>> >>>>> If so, why should anyone only want to stop SSH by mac address? >>>>> And, if it is only dropping port 22 traffic it should be possible to >>>>> "hack" the >>>>> script so that this plugin checks/blocks all ports. >>>>> Could someone [Lonnie again? :-)] tell me where this plugin script file is >>>>> located please. >>>>> >>>>> Thanks in advance, >>>>> >>>>> -Graham- ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
