2

I'm doing some testing on my linux VM with one nic, I want to use it as some kind of a firewall which can block traffic of some clients based on a mac address.

The client itself is having the VM as a default gateway (.254), the VM itself has (.1 the actual router) as default gateway.

This is the iptable script that I'm using at the moment. I have internet on my client, but .14 is still getting internet, when using the mac address, nothing is beging blocked.

Am I missing something?

    # Generated by iptables-save v1.4.14 on Sun Feb 23 12:16:26 2014
*filter
:INPUT ACCEPT [869:78983]
:FORWARD ACCEPT [1183:197765]
:OUTPUT ACCEPT [644:128360]
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# log iptables denied calls (access via 'dmesg' command)
-P FORWARD DROP
-F FORWARD
-A FORWARD -i eth0 -m mac --mac-source 64:20:0c:ac:f4:49 -j DROP
-A FORWARD -i eth0 -s 192.168.1.14 -j DROP
-A FORWARD -i eth0 -j ACCEPT
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
# Completed on Sun Feb 23 12:16:26 2014
Wouter
  • 23
  • 1
  • 1
  • 3

2 Answers2

1

MAC address filtering needs to happen in the PREROUTING chain, by the time the packet reaches the FORWARD chain the MAC address is already rewritten to that of the (internal) iptables bridge.

See Paragraph 9 of http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section8 for a more detailed explanation.

You also flush the FORWARD chain after setting the default policy (the -F FORWARD line), I doubt you want to do that (it restores the default policy of ACCEPT).

I don't see why "-A FORWARD -i eth0 -s 192.168.1.14 -j DROP" isn't blocking that source IP, but at any rate you shouldn't need the "-i eth0" in there. Are you sure that 1.14 is using 254 as the default gw?

It would also help to post the output of iptables -L -v to see what is actually loaded.

quadruplebucky
  • 5,139
  • 20
  • 23
  • This is the output of the iptables command [link](http://pastie.org/private/oscub1fytu0ng3bwarfwmq). I'll look into ebtables. – Wouter Feb 25 '14 at 18:28
0

You need to put these rules on the gateway .254, who is used by .14.

If you need to block .14 at .1 gateway level, you need to ensure who the packets are being reaching with the mac address from .14, if the packets are being forwarded by .254 via NAT, then these packets will be repacked with .254 mac address.

I recommend you to create a subnet for client .14 not be able to connect directly to .1 gateway.

fgbreel
  • 673
  • 4
  • 13
  • Hi fgbreel, I've put these rules on the .254, but I got the feeling that the ip rule is not really blocking traffic. (the mac rule can be ignored) – Wouter Feb 24 '14 at 22:45
  • Can you check on the client .14 who are gateway default? – fgbreel Feb 24 '14 at 23:05
  • .14 has a default gateway of .254 – Wouter Feb 25 '14 at 18:27
  • Try to set the DROP rule with mac module in the PREROUTING chain from nat tables as described by @quadruplebucky. `iptables -t nat -A PREROUTING -p all -m mac --mac-source 64:20:0C:AC:F4:49 -j DROP` – fgbreel Feb 25 '14 at 18:31
  • I'm noticing that the drop action is not permitted by iptables. `The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.` – Wouter Feb 25 '14 at 18:39
  • I'll go ahead and start filtering on ip base because all the ips will have reservations in our DHCP table. One last thing I notice is that open connections to a site are not closed with the drop command. Is there an option to close these connections after a certain amount of time? – Wouter Feb 25 '14 at 21:01
  • You can use REJECT instead DROP. So the browser stop immediately with `connection refused` instead `connection timeout`. – fgbreel Feb 25 '14 at 21:27
  • Hi fgbreel, the reject parameter did fix my problem. Thanks! – Wouter Feb 25 '14 at 21:33
  • One last thing, I can see these connections be left open on the server. Is it possible to close them after a small amount of time? – Wouter Feb 25 '14 at 21:53