Re: iptables mac filtering: iptables fails to start after trying to use "mac" iptables module
Wow! :-) Thank you, thank you, thank you! Confusing thing was, it worked at the SL6 iptables, but not at SL 7. Totally overlooked this and spent 5hrs since morning on it, oh mdg ..-) All right, all right, at least, it's friday ... :-) -- *Karel Lang* *Unix/Linux Administration* l...@afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz On 03/02/2018 12:59 PM, Stephan Wiesand wrote: On 2. Mar 2018, at 12:04, Karel Lang AFD wrote: Hello guys, stumbled on weird thing today - wanted to setup some iptables rules based on 'mac address' and iptables failed to start. cat /etc/redhat-release Scientific Linux release 7.4 (Nitrogen) iptables --version iptables v1.4.21 yum list all | grep iptables iptables.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs iptables-services.x86_641.4.21-18.2.el7_4 @sl-fastbugs iptables-utils.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs what happens: after adding simple rule to '/etc/sysconfig/iptables': *filter -A INPUT -m mac --mac-source 52-54-00-6f-04-51 -j ACCEPT it refuses to start after 'systemctl restart iptables' and the 'journalctl -xe' says: Error occurred at line: XX and thats' it If i add the same simple rule to the SL 6.9 iptables rules, it works without problem.. Anyone stumled upon this, only thing i can think of is, that it is not compiled in standard kernel .. It is. Thanks for any input - i tried to lookup things at search engines, but so far no light ..ehh. Try reading the manual page ;-) "Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX"
Re: iptables mac filtering: iptables fails to start after trying to use "mac" iptables module
> On 2. Mar 2018, at 12:04, Karel Lang AFD wrote: > > Hello guys, > > stumbled on weird thing today - wanted to setup some iptables rules based on > 'mac address' and iptables failed to start. > > cat /etc/redhat-release > Scientific Linux release 7.4 (Nitrogen) > > iptables --version > iptables v1.4.21 > > yum list all | grep iptables > iptables.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs > iptables-services.x86_641.4.21-18.2.el7_4 @sl-fastbugs > iptables-utils.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs > > > what happens: > after adding simple rule to '/etc/sysconfig/iptables': > *filter > -A INPUT -m mac --mac-source 52-54-00-6f-04-51 -j ACCEPT > > > it refuses to start after 'systemctl restart iptables' and the 'journalctl > -xe' says: > > Error occurred at line: XX and thats' it > > > > If i add the same simple rule to the SL 6.9 iptables rules, it works without > problem.. > > Anyone stumled upon this, only thing i can think of is, that it is not > compiled in standard kernel .. It is. > Thanks for any input - i tried to lookup things at search engines, but so far > no light ..ehh. Try reading the manual page ;-) "Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX"
Re: iptables mac filtering: iptables fails to start after trying to use "mac" iptables module
On Fri, 2 Mar 2018, Karel Lang AFD wrote: Hello guys, stumbled on weird thing today - wanted to setup some iptables rules based on 'mac address' and iptables failed to start. cat /etc/redhat-release Scientific Linux release 7.4 (Nitrogen) iptables --version iptables v1.4.21 yum list all | grep iptables iptables.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs iptables-services.x86_641.4.21-18.2.el7_4 @sl-fastbugs iptables-utils.x86_64 1.4.21-18.2.el7_4 @sl-fastbugs what happens: after adding simple rule to '/etc/sysconfig/iptables': *filter -A INPUT -m mac --mac-source 52-54-00-6f-04-51 -j ACCEPT I spell mac addresses 52:54:00:6f:04:51 - ie with colons not dashes; case doesn't seem to matter. it refuses to start after 'systemctl restart iptables' and the 'journalctl -xe' says: Error occurred at line: XX and thats' it On SL6 I sometimes have to load a module to enable a rule; what is in your /etc/sysconfig/iptables-config - or whatever equivalent SL7 uses ? If i add the same simple rule to the SL 6.9 iptables rules, it works without problem.. Anyone stumled upon this, only thing i can think of is, that it is not compiled in standard kernel .. Thanks for any input - i tried to lookup things at search engines, but so far no light ..ehh. -- *Karel Lang* *Unix/Linux Administration* l...@afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
