IPTABLES netfilter mac drops

07-12-2004, 12:21 AM

Hi,
I have a gentoo system with 2.4.26 kenel and 1.2.9 iptables.
I have the kernel compiled with MAC netfilter.

iptables -L MAC_FILTER

Chain MAC_FILTER (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere MAC 00:60:1D:F0:E9:FD
RETURN all -- anywhere anywhere MAC 00:60:1D:1C:65:B9
RETURN all -- anywhere anywhere MAC 00:60:1D:F0:EA:03
RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:3C
RETURN all -- anywhere anywhere MAC 00:60:1D:F7:74:BC
RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:1D
RETURN all -- anywhere anywhere MAC 00:02:2D:1C:91:A7
RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:33
RETURN all -- anywhere anywhere MAC 00:60:1D:F2:20:33
RETURN all -- anywhere anywhere MAC 00:60:97:72:52:35
RETURN all -- anywhere anywhere MAC 00:60:97

0:0A:CD
LOG all -- anywhere anywhere limit: avg 3/min burst
5 LOG level info prefix `MAC address dropped: '
DROP all -- anywhere anywhere

I am having difficulty achieving the desired result with this chain.
Am I wrong thinking if a machine behind my firewall (on my inward network) that has
a mac address other than above tries to access the network via this router the
packets will be dropped.

Here is a little more insight. I have a wireless hub uplinked. The above mac
addresses are those of my wireless cards. If someone with another card were to
access the network I want dropped packets.

so the following command is also used...
iptables -t nat -A PREROUTING -j MAC_FILTER

Any help in identifying what I am doing wrong is appreciated.
Thanks.
-Walt

07-12-2004, 12:25 AM

actually analyzing this error will most likely fix my problem.

iptables -t nat -A PREROUTING -j MAC_FILTER
iptables v1.2.9: Couldn't load target
`MAC_FILTER':/lib/iptables/libipt_MAC_FILTER.so: cannot open shared object file: No
such file or directory

my /lib/iptables contains only libipt_mac.so

I'm baffled why it wants the othe .so

Thanks.
-Walt

07-12-2004, 08:35 AM

On Mon, 12 Jul 2004 00:25:43 GMT
(E-Mail Removed) wrote:

> actually analyzing this error will most likely fix my problem.
>
> iptables -t nat -A PREROUTING -j MAC_FILTER
> iptables v1.2.9: Couldn't load target
> `MAC_FILTER':/lib/iptables/libipt_MAC_FILTER.so: cannot open shared object file: No
> such file or directory
>
> my /lib/iptables contains only libipt_mac.so

Did you insmod libipt_mac.so first?

Greets
Chris

07-12-2004, 12:08 PM

Yes it is the first entry from lsmod.
-Walt

Christoph Scheurer <(E-Mail Removed)> wrote:
> On Mon, 12 Jul 2004 00:25:43 GMT
> (E-Mail Removed) wrote:

>> actually analyzing this error will most likely fix my problem.
>>
>> iptables -t nat -A PREROUTING -j MAC_FILTER
>> iptables v1.2.9: Couldn't load target
>> `MAC_FILTER':/lib/iptables/libipt_MAC_FILTER.so: cannot open shared object file: No
>> such file or directory
>>
>> my /lib/iptables contains only libipt_mac.so

> Did you insmod libipt_mac.so first?

> Greets
> Chris

--
Reply to innkeepATncDOTrrDOTcom to email questions.

07-12-2004, 12:26 PM

Your probably better of using :

http://ebtables.sourceforge.net/

Yas

On Mon, 12 Jul 2004 00:21:08 +0000, PenguinsAnonymous wrote:

> Hi,
> I have a gentoo system with 2.4.26 kenel and 1.2.9 iptables.
> I have the kernel compiled with MAC netfilter.
>
> iptables -L MAC_FILTER
>
> Chain MAC_FILTER (0 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere MAC 00:60:1D:F0:E9:FD
> RETURN all -- anywhere anywhere MAC 00:60:1D:1C:65:B9
> RETURN all -- anywhere anywhere MAC 00:60:1D:F0:EA:03
> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:3C
> RETURN all -- anywhere anywhere MAC 00:60:1D:F7:74:BC
> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:1D
> RETURN all -- anywhere anywhere MAC 00:02:2D:1C:91:A7
> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:33
> RETURN all -- anywhere anywhere MAC 00:60:1D:F2:20:33
> RETURN all -- anywhere anywhere MAC 00:60:97:72:52:35
> RETURN all -- anywhere anywhere MAC 00:60:97

0:0A:CD
> LOG all -- anywhere anywhere limit: avg 3/min burst
> 5 LOG level info prefix `MAC address dropped: '
> DROP all -- anywhere anywhere
>
> I am having difficulty achieving the desired result with this chain.
> Am I wrong thinking if a machine behind my firewall (on my inward network) that has
> a mac address other than above tries to access the network via this router the
> packets will be dropped.
>
> Here is a little more insight. I have a wireless hub uplinked. The above mac
> addresses are those of my wireless cards. If someone with another card were to
> access the network I want dropped packets.
>
> so the following command is also used...
> iptables -t nat -A PREROUTING -j MAC_FILTER
>
> Any help in identifying what I am doing wrong is appreciated.
> Thanks.
> -Walt

07-12-2004, 12:41 PM

I don't understand... I am using gentoo these are recent versions which is why I
listed them in my post.
I don't understand why iptables wants to load a lib of the chain name I created
ie libipt_MAC_FILTER.so?
why?
-Walt

Yas <(E-Mail Removed)> wrote:
> Your probably better of using :

> http://ebtables.sourceforge.net/

> Yas

> On Mon, 12 Jul 2004 00:21:08 +0000, PenguinsAnonymous wrote:

>> Hi,
>> I have a gentoo system with 2.4.26 kenel and 1.2.9 iptables.
>> I have the kernel compiled with MAC netfilter.
>>
>> iptables -L MAC_FILTER
>>
>> Chain MAC_FILTER (0 references)
>> target prot opt source destination
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F0:E9:FD
>> RETURN all -- anywhere anywhere MAC 00:60:1D:1C:65:B9
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F0:EA:03
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:3C
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F7:74:BC
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:1D
>> RETURN all -- anywhere anywhere MAC 00:02:2D:1C:91:A7
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F1:77:33
>> RETURN all -- anywhere anywhere MAC 00:60:1D:F2:20:33
>> RETURN all -- anywhere anywhere MAC 00:60:97:72:52:35
>> RETURN all -- anywhere anywhere MAC 00:60:97

0:0A:CD
>> LOG all -- anywhere anywhere limit: avg 3/min burst
>> 5 LOG level info prefix `MAC address dropped: '
>> DROP all -- anywhere anywhere
>>
>> I am having difficulty achieving the desired result with this chain.
>> Am I wrong thinking if a machine behind my firewall (on my inward network) that has
>> a mac address other than above tries to access the network via this router the
>> packets will be dropped.
>>
>> Here is a little more insight. I have a wireless hub uplinked. The above mac
>> addresses are those of my wireless cards. If someone with another card were to
>> access the network I want dropped packets.
>>
>> so the following command is also used...
>> iptables -t nat -A PREROUTING -j MAC_FILTER
>>
>> Any help in identifying what I am doing wrong is appreciated.
>> Thanks.
>> -Walt

--
Reply to innkeepATncDOTrrDOTcom to email questions.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
newb: netfilter/iptables ?? extension?	protocol	Linux Networking	5	01-01-2005 01:54 AM
Does the netfilter/iptables H.323 patch support T.38( fax over IP )?	Nick Wu	Linux Networking	0	01-29-2004 06:46 AM
NetFilter/IPTables	Learner	Linux Networking	0	01-14-2004 02:23 PM
multicasting, iptables (netfilter) and routing	wim delvaux	Linux Networking	0	01-05-2004 01:54 AM
netfilter/iptables quick question	Lyle H. Gray	Linux Networking	2	11-14-2003 08:10 AM