Iptables source mac match not always matching?

Question

I have added some rules to my PREROUTING chain in NAT. Usually at the beginning of a new machine joining the network, these matches don't always match correctly?

Im using iptables v1.4.21 on OpenWRT Barrier Breaker This is on a linux bridge where ebtables is sending packets through iptables

net.bridge.bridge-nf-call-iptables=1

In it's simplest form

    -A PREROUTING -m mac --mac-source <my mac> -j ACCEPT
    -A PREROUTING -m limit --limit 1/min -j LOG --log-prefix "id=Unknown-Device " --log-level 5

But I get log messages showing that it didn't match. The mac addresses are definitely correct

id=Unknown-Device IN=br-lan OUT= PHYSIN=wlan0 MAC=<dst>:<src>:08:00 SRC=192.168.0.105 DST=15.72.255.5 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=TCP SPT=23058 DPT=80 WINDOW=8688 RES=0x00 SYN URGP=0

Have you checked the case of the MAC address? Simple but might help! — shearn89, May 19 '16 at 09:33

score 0 · Answer 1 · answered May 23 '16 at 12:08

0

If I correctly understand you, your setup is working, and sometimes, when a new machine is connecting, some logs shows up. You are tring to understand why. Is that true?

I have several ideas about your issues, although I can't provide an answer yet.

First, I want to be sure there are some "good" connections. To confirm this, you could disable the 1 packet per minute limitation in the log rule, and add another log rule before the accept one :

-A PREROUTING -m mac --mac-source <my mac> -j LOG --log-prefix "id=Well-known-Device " --log-level 5
-A PREROUTING -m mac --mac-source <my mac> -j ACCEPT
-A PREROUTING -j LOG --log-prefix "id=Unknown-Device " --log-level 5

In order to dismiss some hypothesis, can you confirm that:

you are not using DNAT in the nat table (it looks like you aren't)
packets are going through FORWARD chain (it looks like they are)
it occurs over ethernet (it looks like it does)

answered May 23 '16 at 12:08

setenforce 1

1,200
6
10

1. In the real rules I am using DNAT, instead of jumping to accept I jump to a chain that may DNAT certain requests to the bridges IP. But this is only if the MAC matches. – Adam Mills May 24 '16 at 01:11
2. Correct. Almost all packets correctly match the MAC filters and proceed as expected. – Adam Mills May 24 '16 at 01:12
3. Yes, it occurs over wireless and ethernet interfaces – Adam Mills May 24 '16 at 01:12
Damn, I'm not sure I still can help then. In your custom chain (the one into you jump from prerouting), have you some `-j RETURN`? Do you end the chain with a global `-j ACCEPT`? – setenforce 1 May 24 '16 at 14:47
The custom chain either ends on a -J ACCEPT or a DNAT (i dont need a return for either I didn't think) – Adam Mills May 25 '16 at 01:14
I agree. Wanted to be sure you had no return. Sorry I can't help finally. Good luck anyway. – setenforce 1 May 25 '16 at 05:37
What would a RETURN have meant? – Adam Mills May 25 '16 at 05:40
You would have returned in prerouting, just after the rule where you jumped in your custom chain. – setenforce 1 May 25 '16 at 05:41

Iptables source mac match not always matching?

1 Answers1