MAC filtering using iptables/ebtables

Question

I'm trying to drop a MAC address on a node in my network. Now, I tried two tools iptables and ebtables, but both attempts failed:

• iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP resulting in "iptables: No chain/target/match by that name."
• ebtables -A INPUT -s 00:11:22:33:44:55 -j DROP resulting in "FATAL: Module ebtables not found. The kernel doesn't support the ebtables 'filter' table."

I'm working with Kernel version 2.6.32: uname -r results in "2.6.32-042stab049.6.emulab.1"

How can I make (at least one) it work? I've searched about this failures, but not much information is to be found. How do I make the kernel support the ebtables 'filter' table? How come there is "no chain/target/match by that name"?

Answer 1

Verify that you can actually list an INPUT chain:

# iptables -L

Hopefully that should something akin to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As for ebtables, it apparently isn't actually part of your kernel.

Answer 2

You need to enable the ebtables options in your Kernel configuration

CONFIG_BRIDGE_NF_EBTABLES=y
CONFIG_BRIDGE_EBT_BROUTE=y
CONFIG_BRIDGE_EBT_T_FILTER=y
CONFIG_BRIDGE_EBT_T_NAT=y
CONFIG_BRIDGE_EBT_802_3=y
CONFIG_BRIDGE_EBT_AMONG=y
CONFIG_BRIDGE_EBT_ARP=y
CONFIG_BRIDGE_EBT_IP=y
CONFIG_BRIDGE_EBT_IP6=y
CONFIG_BRIDGE_EBT_LIMIT=y
CONFIG_BRIDGE_EBT_MARK=y
CONFIG_BRIDGE_EBT_PKTTYPE=y
CONFIG_BRIDGE_EBT_STP=y
CONFIG_BRIDGE_EBT_VLAN=y
CONFIG_BRIDGE_EBT_ARPREPLY=y
CONFIG_BRIDGE_EBT_DNAT=y
CONFIG_BRIDGE_EBT_MARK_T=y
CONFIG_BRIDGE_EBT_REDIRECT=y
CONFIG_BRIDGE_EBT_SNAT=y
CONFIG_BRIDGE_EBT_LOG=y
CONFIG_BRIDGE_EBT_ULOG=y
CONFIG_BRIDGE_EBT_NFLOG=y

then build the kernel and retry. Its also possible that something iptables relates is missing also.