On Nov 17, 2004, at 12:00 PM, Mike Branda wrote:
> O.K. I've just found a site that explains that hosts.allow/deny
> doesn't
> get looked over till after the IP layer which is after the Ethernet
> layer. Does anybody have an idea as to how to get around this another
> way??
iptables has a mac address matching model, so something like the
following should work:
iptables -A INPUT -m state --state NEW -m mac --mac-addresss
aa:bb:cc:dd:ee:ff -m tcp -p tcp --dport 22 -j ACCEPT
(no, I've not tried it, so the syntax could be way off. 'man iptables'
for more details)
There are two problems with filtering by MAC address. MAC addresses
are trivially spoofed - the following works on many (most?) NICs under
Linux
ifconfig ethN hw ether aa:bb:cc:dd:ee:ff
MAC addresses are only used within ethernet broadcast domains, so
they're not visible on the other side of gateways.
Scotty
-- Never take life seriously - Nobody gets out alive anyway----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:34:52 EDT