Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IPSet + IPtables MAC Address filter
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
JujuBickoille
n00b
n00b


Joined: 20 Apr 2010
Posts: 13

PostPosted: Sat Jun 22, 2013 2:34 am    Post subject: IPSet + IPtables MAC Address filter Reply with quote

Hello everybody,

I wish to make a filter on my network with mac address.

I got 2 ways :

iptables -t filter -A INPUT -i ${WIFI_IFACE} -m mac ! --mac 00:17:00:AA:00:AA -j DROP

It's nice and it work, but I wish use ipset with macipmap, because I think it's better when you got multiple mac to filter, so I've make it :

# Flush time
iptables -t filter -F
ipset -X grantedmac
# Add my allowed mac
ipset -N grantedmac bitmap:ip,mac --network 192.168.1.0/24
ipset add lan_clients 192.168.1.12,00:17:00:AA:00:AA
# Filter other
iptables -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src -j LOG --log-prefix "Not Granted MAC "


It seem to be easy, but it don't work :

When I try to connect with my granted computer, I got the message. If I connect ungranted, I got message same


[ 997.157185] Not Granted MAC IN=wlan0 OUT= MAC=00:17:00:aa:00:aa:00:41:f4:8b:0e:53:08:00 SRC=192.168.1.12 DST=192.168.1.4 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=65149 DF PROTO=TCP SPT=22 DPT=36719 WINDOW=384 RES=0x00 ACK PSH URGP=0


I don't know where I'm wrong, maybe someone got ideas


Thank you so much in advance

Best regards

JujuBickoille
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.

PostPosted: Sun Jun 23, 2013 3:27 am    Post subject: Reply with quote

You are adding your data to some ipset named "lan_clients", but the ipset you are matching against is named "grantedmac".
Back to top
View user's profile Send private message
JujuBickoille
n00b
n00b


Joined: 20 Apr 2010
Posts: 13

PostPosted: Sat Aug 31, 2013 3:40 pm    Post subject: Reply with quote

Okay, I've found why it doen't work :

${IPTABLES} -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src,src -j LOG --log-prefix "FORBIDDEN MAC "

you need to set "src,src" in place of "src" only
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum