MAC Filtering
Bart De Schuymer
bdschuym at pandora.be
Wed Jan 5 19:16:37 CET 2005
Op wo, 05-01-2005 te 17:12 +0100, schreef Erwin Van de Velde:
> Hi,
>
> I don't want to bridge, I only said I have to when using ebtables. I need MAC
> filtering without bridging... I'm fully aware of the fact that iptables works
> on layer 3 and that MAC is layer 2, however if it can filter on source MAC
> addresses, why can't it filter on destination MAC addresses?
You can use ebtables without using a bridge as follows:
brctl addbr br0
brctl addif br0 eth0
ifconfig eth0 0.0.0.0
ifconfig br0 $IP_OF_ETH0_SIDE
brctl addbr br1
brctl addif br1 eth1
ifconfig eth1 0.0.0.0
ifconfig br1 $IP_OF_ETH1_SIDE
Change your routing table as needed. Your router thus uses brx instead
of ethx to transmit and receive packets. ebtables will see the packets,
so you can do
ebtables -A OUTPUT -d $A_MAC_ADDRESS -j <target>
If you only need to check the destination address in one direction, f.e.
traffic leaving on eth0, you only need one bridge (in this case only
br0), with the proper routing table.
The downside is that your performance will downgrade substantially,
because all traffic will be queued twice.
cheers,
Bart
More information about the netfilter-devel
mailing list