iptables mac destination filtering

George Alexandru Dragoi waruiinu at gmail.com
Sat Apr 30 09:18:08 CEST 2005


Use arptables for that, like

arptables -A INPUT --src-mac <mac> --opcode 1 -j DROP
arptables -A OUTPUT --dst-mac <mac> --opcode 1 -j DROP

This way that mac won't know your mac address and won't be able to
comunicate with you. But, a "very" good enough firewall, it is not
necesary to filter destination mac, source mac is enough, arptables is
good to stop somebody DDOS you (if he is in same L2 with you).

On 4/28/05, Tobias DiPasquale <codeslinger at gmail.com> wrote:
> On 4/28/05, Michael Tautschnig <michael.tautschnig at zt-consulting.com> wrote:
> > Could you please explain, why one would do that? IMHO the only possible use is
> > an interface in promiscous mode.
> 
> Not really. I know of a project that wanted this functionality in
> order to be able to determine if the next hop was terminal, and if so,
> do some IDS scanning on it. This was in the context of AODV-assembled
> wireless LANs.
> 
> --
> [ Tobias DiPasquale ]
> 0x636f6465736c696e67657240676d61696c2e636f6d
> 
> 


-- 
Bla bla



More information about the netfilter mailing list