Question

2

iptables mac address filtering not work

rated 0 times [ 2] [ 0] / answers: 1 / hits: 8467 / 1 Year ago, fri, january 13, 2023, 12:00:40

I block every port default by ufw

and add iptables rules like this:

sudo iptables -A INPUT -p tcp --dport 1723 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

then I list iptables INPUT rules:

sudo iptables -L INPUT --line-numbers



Chain INPUT (policy DROP)

num  target                    prot opt source               destination

1    ACCEPT                    udp  --  anywhere             anywhere            udp dpt:domain

2    ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:domain

3    ACCEPT                    udp  --  anywhere             anywhere            udp dpt:bootps

4    ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:bootps

5    ufw-before-logging-input  all  --  anywhere             anywhere

6    ufw-before-input          all  --  anywhere             anywhere

7    ufw-after-input           all  --  anywhere             anywhere

8    ufw-after-logging-input   all  --  anywhere             anywhere

9    ufw-reject-input          all  --  anywhere             anywhere

10   ufw-track-input           all  --  anywhere             anywhere

11   ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:1723 MAC 00:11:22:33:44:55

but I can't visit my server:1723

Is there sth wrong?

I use Ubuntu 11.10

Edit01:

I add followed things:

*filter

:ufw-before-input - [0:0]

:ufw-before-output - [0:0]

:ufw-before-forward - [0:0]

:ufw-not-local - [0:0]

# End required lines



-A ufw-before-input -p tcp --dport 1723 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

and then I list the rules

sudo iptables -L  ufw-before-input  --line-numbers

Chain ufw-before-input (1 references)

num  target           prot opt source               destination

1    ACCEPT           tcp  --  anywhere             anywhere            tcp dpt:1723 MAC 00:11:22:33:44:55

2    ACCEPT           all  --  anywhere             anywhere

3    ACCEPT           all  --  anywhere             anywhere            state RELATED,ESTABLISHED

4    ufw-logging-deny all  --  anywhere             anywhere            state INVALID

5    DROP             all  --  anywhere             anywhere            state INVALID

6    ACCEPT           icmp --  anywhere             anywhere            icmp destination-unreachable

7    ACCEPT           icmp --  anywhere             anywhere            icmp source-quench

8    ACCEPT           icmp --  anywhere             anywhere            icmp time-exceeded

9    ACCEPT           icmp --  anywhere             anywhere            icmp parameter-problem

10   ACCEPT           icmp --  anywhere             anywhere            icmp echo-request

11   ACCEPT           udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc

12   ufw-not-local    all  --  anywhere             anywhere

13   ACCEPT           udp  --  anywhere             224.0.0.251         udp dpt:mdns

14   ACCEPT           udp  --  anywhere             239.255.255.250     udp dpt:1900

15   ufw-user-input   all  --  anywhere             anywhere

and still not work... of course, after sudo service ufw restart I still connect the server on 1723

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ousear

Add To Favorites

Follow

Total Points: 395

Total Questions: 114

Total Answers: 89

Location: Jordan

Member since Thu, Aug 5, 2021

3 Years ago

ousear questions

1 Linux script with logfile that changes names

Tue, Sep 27, 22, 03:29, 2 Years ago

1 How do I force microk8s kubectl to generate a token for my dashboard?

Sat, Apr 29, 23, 04:10, 1 Year ago

1 Why does installing Wine uninstall other packages?

Thu, Nov 25, 21, 00:51, 3 Years ago

1 vlc doesn't run again after quit

Tue, Feb 22, 22, 17:47, 2 Years ago

1 Ubuntu: Looking for simple way to run an application from the terminal

Sat, Oct 9, 21, 02:33, 3 Years ago

View All

answered 1 Year ago nosaurindb · Accepted Answer

Are both machines on the same ethernet subnet? mac addresses are only local to a subnet. If there's a router inbetween, the server will see the mac address of the last router the packet crosses.

Also, iptables -v -L is handy for debugging, as you can see which rules are being triggered.