mac-filtering is not working (nfcan: addressed to exclusive
sender for this address)
Jim Laurino
nfcan.x.jimlaur at dfgh.net
Fri Mar 18 00:19:24 CET 2005
On 2005.03.17 17:55, Manuel Schmitz - Port17 at gmx.net wrote:
> Hello,
>
> I am desperately trying to establish mac-filtering on my debian-router.
>
> - All default chains are empty, policy set to "ACCEPT".
> - I execute
>
> iptables -A FORWARD -m mac --mac-source $MY_MAC -j ACCEPT
>
> and then set the FORWARD-Policy to "DROP". Now I expect the chain to
> drop all packages exept these coming from $MY_MAC. Am I right?
> - It does not work. It drops ALL traffic. So why?
How do you know that *all* packets are dropped?
Why would changing the default policy affect a working rule?
Have you done iptables -L -nvx and examined the counts?
The rule is for one direction only - from $MY_MAC to the world,
there is no provision for traffic to $MY_MAC.
A rule like this would handle most reply traffic:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
For a really good reference on iptables in general, check out
http://iptables-tutorial.frozentux.net/
--
Jim Laurino
nfcan.x.jimlaur at dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.
More information about the netfilter
mailing list