iptables: mac-source and FORWARD

Hi!
i'm using iptables v.1.2.2. i have a problem with forward chain
it looks like this:
iptables -N check_mac
iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
192.168.0.1 -j RETURN
iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
192.168.0.2 -j RETURN
iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
192.168.0.3 -j RETURN
....
iptables -A check_mac -j DROP

iptables -A FORWARD -i eth1 -j check_mac
....

So i only want specific ip with specific mac address pairs to be forwarded,
but it doesn't work! If i place RETURN target instead of DROP in the last
line of check_mac chain it works. But of course that's not the way i want it
to work.
Anybody any idea?

zacWonder <(E-Mail Removed)> wrote:

> i'm using iptables v.1.2.2. i have a problem with forward chain
> it looks like this:
> iptables -N check_mac
> iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
> 192.168.0.1 -j RETURN
> iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
> 192.168.0.2 -j RETURN
> iptables -A check_mac -m mac --mac-source xx : xx : xx : xx : xx : xx -s
> 192.168.0.3 -j RETURN

Have you checked that the source mac addresses really match the
respective IP addresses? Did you specify the MAC addresses in
the propper syntax (xx:xx:xx:xx:xx:xx)?

Use a log rule before the next DROP-rule to make clear what is
dropped.

> ...
> iptables -A check_mac -j DROP
>
> iptables -A FORWARD -i eth1 -j check_mac
> ...

Also use ethereal or tcpdump to check what is coming in
on eth1.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn