- This topic is empty.
February 18, 2009 at 10:24 pm #41484
I’m trying to use MAC addresses to restrict computers from accessing the internet. I create a rule in the Forward chain that applies to both routed and bridged packets. I set up a pretty generic rule that looks like:
target prot opt in out source destination
DROP all — * * 0.0.0.0/0 0.0.0.0/0 MAC 00:18:F3:01:7A:D5
I try to pass through the firewall with my test computer that has this MAC address and it passes fine, instead of getting dropped like it should. My only idea is that I have to be using DHCP services on the Zeroshell box for this to work, but that seems kind of silly. Any ideas? Thanks.
-BellFebruary 19, 2009 at 8:22 am #47639ppaliasMember
Try to use this and see if it works:
iptables -A FORWARD -m mac --mac-source 00:18:F3:01:7A:D5 -j DROPFebruary 19, 2009 at 2:05 pm #47640ppaliasMember
I tried it now both directly with IP tables and Web interface (don’t forget to save) and it worked fine. Version 1.0 beta 11February 19, 2009 at 7:38 pm #47641
I just tried it using both methods and neither of them worked. I am running Version 1.0 beta 11. If I look under “Connection Tracking” in the Firewall menu, I do not see any MAC addresses listed. Would there be some reason that Zeroshell is not checking the MAC address of the connections being made?February 19, 2009 at 8:49 pm #47642imported_fulvioParticipant
Connection tracking works at layer 4. You cannot find MAC addresses because they are layer 2 addresses.
Could you post a network diagram of your lan? is your client connected to Zeroshell on the same layer 2?
FulvioFebruary 19, 2009 at 10:09 pm #47643
I’m not exactly sure what you are asking when you say “the same layer 2”. My lan is pretty simple. The machine that I’m testing the MAC address rules with is connected like this:
— Computer connected to a layer 2 switch.
–That layer 2 switch is connected to a layer 3 core switch.
–An Untangle Firewall box (it has two network interfaces set up in a bridged state) one interface is connected to the layer 3 switch, and the other is connected to the Zeroshell box.
–The Zeroshell box has two is doing routing between it’s two network interfaces, one of which is connected to the Untangle Firewall, the other to the internet router.February 19, 2009 at 10:32 pm #47644imported_fulvioParticipant
At this point I have to say that the only place where you could apply a MAC address filter is the layer 3 router connected to the switch. Zeroshell is not able to see the MAC address of the client because the first router breaks the layer 2 where it is connected.
FulvioFebruary 20, 2009 at 12:03 am #47645
Thanks Fulvio for some reason I didn’t even think of that. I was looking at it so hard I forgot the obvious. Thanks everyone.February 17, 2010 at 5:36 am #47646AnonymousMember
- You must be logged in to reply to this topic.