mac match and FORWARD chain
wakko at animx.eu.org
Mon Oct 23 12:50:43 CEST 2006
Bo Yang wrote:
> > I'd like to request that the mac match not be allowed in the FORWARD chain
> > as it does not function the way that some may think.
> > The tests I've performed indicate that the match will match the MAC address
> > of the transmitting interface (not what one would expect if attempting to
> > allow based on the mac address of the sender and blocking all other
> > I'd like to hear comments about this. If it is not fesable to do this, I'd
> > recommend adding text to the man page so that others do not fall into the
> > same problem I did.
> > I have already worked around this problem in my setup.
> MAC address is some concept in the link layer , so how do
> you get the packet sender mac if the packet is routed to your
> box through some other routers ?
I understand. However, the machine I was using for this was directly
connected to both system. There were no other routers.
Take this for instance:
Box A -> (eth1)firewall/router(eth0) -> Box B
firewall/router does not trust eth1 and uses MAC addresses to allow access,
so it does this:
-I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
-I FORWARD -j DROP -i eth1
firewall/router knows the mac of both box a and b (obviously, box a doesn't
know box b's mac and vice versa). Consider the above the only rules in the
firewall and box A and B have no rules at all.
Box A pings Box B and fails. The reason is the mac test above is seeing the
MAC of eth0, not of Box A.
This is what I'm referring to and I had to add a MARK rule in PREROUTING to
mark packets that I want to allow and then allow in the forward chain based
upon the mark.
Lab tests show that use of micro$oft causes cancer in lab animals
More information about the netfilter