Re: [Firestarter-user] Partial Firewall / Firestarter good for this?
Brought to you by:
majix
From: Stephan W. <ste...@gm...> - 2005-09-20 08:35:25
|
Here is what I found to work iptables -m mac -A FORWARD -o bridge0 --mac-source "xx:xx:xx:xx:xx" -d \! 192.168/8 -j DROP The debian -- /etc/network/interfaces file has # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface # auto eth0 # iface eth0 inet dhcp # From http://affix.sourceforge.net/affix-newdoc/Affix-enduser/x199.html auto bridge0 iface bridge0 inet static address 192.168.2.112 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1 pre-up ifconfig eth0 down pre-up ifconfig eth1 down pre-up brctl addbr bridge0 pre-up brctl addif bridge0 eth0 pre-up brctl addif bridge0 eth1 pre-up ifconfig eth0 0.0.0.0 up pre-up ifconfig eth1 0.0.0.0 up # pre-up brctl ifconfig bridge0 up post-down ifconfig eth0 down post-down ifconfig eth1 down post-down brctl delbr bridge0 Stephan On 9/18/05, Ryan <ry...@zo...> wrote: > On Sun, 18 Sep 2005 06:52:12 -0700 > Stephan Wehner <ste...@gm...> wrote: >=20 > > > Sounds to me like you need to block the MAC address of the windows > > > machine from accessing the net. > > > > > > under /etc/firestarter/user-post , put > > > $IPT -A OUTPUT -o $INIF --mac-source put-in-MAC-windows-machine -j > > > DROP > > > > > > that should block the MAC address of the windows machine from > > > accessing the WAN > > > > I get errors > > > > voltage:/home/stephan# iptables -A OUTPUT -o eth0 --mac-source > > 00:01:03:e7:8a:f8 -j DROP > > iptables v1.2.11: Unknown arg `--mac-source' > > Try `iptables -h' or 'iptables --help' for more information. > > > > > > This also doesn't do it: > > > > voltage:/home/stephan# iptables -A OUTPUT -o eth1 -m mac --mac-source > > 00:01:03:e7:8a:f8 -j DROP > > iptables: Invalid argument > > > > voltage:/home/stephan# whoami > > root > > > > What should it be?? > > > > Stephan > > >=20 > You also need to load a specific module it appears firestarter does > not load by default.... >=20 > I think you have 3 choices (anyone can add to this..): >=20 > 1. Google for --mac-source, find the module name, then load it by > using /etc/firestarter/user-pre >=20 > 2. Use the MAC filtering capabilities of your switch (if it has them - > many cisco, nortel, etc do) >=20 > 3. Use another iptables config tool that has MAC filtering built in > like shorewall, firewallbuilder, or kmyfirewall (all are more > complicated and advanced than firestarter) >=20 >=20 > |