1

I need to setup a firewall between a server, and the clients on the intranet that filters access by MAC on the FORWARD chain.

The server has one NIC (on subnet 10.0.0.0/29), the firewall two NICs (one on subnet 10.0.0.0/29, the other one on subnet 192.100.100.0/23), and the client has one NIC (on subnet 192.100.100.0/23)

My goal is to be able to to forward only traffic from only a few MACs and drop the rest.

Right now I've iptables set as below:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT

When I check iptables I can see that there's traffic on the rule but I the ping I send is getting no reply.

Any ideas? Thanks in advance.

loopeando
  • 11
  • 1
  • 3
  • I was finally able to solve the issue myself by adding the following rule to the FORWARD chain: iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT – loopeando Nov 04 '15 at 23:57

1 Answers1

1

The problem is that while you are allowing packets going from the client to the server, the packets from the server going back to the client will be dropped. They are not handled automatically by the netfilter and need to be allowed explicitly.

Usually, in a restrictive firewall where you only allow certain packets and drop the rest you would use connection tracking to accept return/related packets of known connections:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Note there is no --mac-destination option in the mac match in netfilter - most probably because the MAC address of the destination machine of outgoing packets is not known to netfilter as it is resolved in a lower network layer (layer 2; netfilter operates on layers 3 and higher).

piit79
  • 184
  • 9
  • Thanks for your input plit79! I was finally able to resolve it by adding the following rule on the FORWARD chain: iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT – loopeando Nov 04 '15 at 23:56