iptables- block mac address

I am getting a lot of spam traffic. I see a million different ips
coming through my logs but one mac address so i want to block that mac
address. In my logs i see this:

Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
..
..
..
The mac address is the same. So I tried this:

iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
88:08:00 -j DROP

And I got this error:

iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
88:08:00'
Try `iptables -h' or 'iptables --help' for more information.

What am I doing wrong?
thanks

off by one wrote:
> I am getting a lot of spam traffic. I see a million different ips
> coming through my logs but one mac address so i want to block that mac
> address. In my logs i see this:
>
> Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
> MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
> DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
> SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
> Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
> MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
> DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
> PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
> .
> .
> .
> The mac address is the same. So I tried this:
>
> iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> 88:08:00 -j DROP
>
> And I got this error:
>
> iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> 88:08:00'
> Try `iptables -h' or 'iptables --help' for more information.
>
> What am I doing wrong?
> thanks
>

That's not the MAC address of your router/gateway is it?

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

Hello,

off by one a écrit :
> I am getting a lot of spam traffic. I see a million different ips
> coming through my logs but one mac address so i want to block that mac
> address. In my logs i see this:
>
> Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
> MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
> DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
> SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
> Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
> MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
> DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
> PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
> .
> The mac address is the same.

Yes, and it is the MAC address of your internet gateway, so you don't
want to block it unless you want to block all traffic from internet. A
router uses its own MAC address when forwarding an IP packet.

> So I tried this:
>
> iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> 88:08:00 -j DROP
>
> And I got this error:
>
> iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> 88:08:00'
> Try `iptables -h' or 'iptables --help' for more information.
>
> What am I doing wrong?

You are misinterpreting what is shown as "MAC". It is not only the
source MAC address but the whole ethernet MAC header, including :
- the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
(Dell)
- the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
address (Netopia)
- the protocol type (2 bytes), 0x0800 for IPv4

On Nov 9, 10:58 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> off by one a écrit :
>
> > I am getting a lot of spam traffic. I see a million different ips
> > coming through my logs but one mac address so i want to block that mac
> > address. In my logs i see this:
>
> > Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
> > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
> > DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
> > SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
> > Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
> > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
> > DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
> > PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
> > .
> > The mac address is the same.
>
> Yes, and it is the MAC address of your internet gateway, so you don't
> want to block it unless you want to block all traffic from internet. A
> router uses its own MAC address when forwarding an IP packet.
>
> > So I tried this:
>
> > iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> > 88:08:00 -j DROP
>
> > And I got this error:
>
> > iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
> > 88:08:00'
> > Try `iptables -h' or 'iptables --help' for more information.
>
> > What am I doing wrong?
>
> You are misinterpreting what is shown as "MAC". It is not only the
> source MAC address but the whole ethernet MAC header, including :
> - the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
> (Dell)
> - the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
> address (Netopia)
> - the protocol type (2 bytes), 0x0800 for IPv4


That sounds correct. Is there a way I can get the mac address of the
computer spamming me?

off by one wrote:
> On Nov 9, 10:58 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
> wrote:
>
>>Hello,
>>
>>off by one a écrit :
>>
>>
>>>I am getting a lot of spam traffic. I see a million different ips
>>>coming through my logs but one mac address so i want to block that mac
>>>address. In my logs i see this:
>>
>>>Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
>>>MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
>>>DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
>>>SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
>>>Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
>>>MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
>>>DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
>>>PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
>>>.
>>>The mac address is the same.
>>
>>Yes, and it is the MAC address of your internet gateway, so you don't
>>want to block it unless you want to block all traffic from internet. A
>>router uses its own MAC address when forwarding an IP packet.
>>
>>
>>> So I tried this:
>>
>>>iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
>>>88:08:00 -j DROP
>>
>>>And I got this error:
>>
>>>iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
>>>88:08:00'
>>>Try `iptables -h' or 'iptables --help' for more information.
>>
>>>What am I doing wrong?
>>
>>You are misinterpreting what is shown as "MAC". It is not only the
>>source MAC address but the whole ethernet MAC header, including :
>>- the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
>>(Dell)
>>- the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
>>address (Netopia)
>>- the protocol type (2 bytes), 0x0800 for IPv4
>
>
>
> That sounds correct. Is there a way I can get the mac address of the
> computer spamming me?


No - and even if you could have it,
you cannot block it.

The MAC addresses are transferred in the local network
only. As soon as the IP packet traverses the first
router, the MAC addresses become irrelevant.

The spammers also use several different computers
with different IP addresses to send the spam to the
final destination. Most of the sending computers
are cracked boxes sending without their owners knowing
it.

You can follow the chain of IP addresses in the headers,
but the last one you can trust is the IP feeding your
mail server (usually the ISP's mail server for an usual
home computer user).

--

Tauno Voipio
tauno voipio (at) iki fi