Author |
Message |
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 12.12.2005 - 14:06 #26354
|
|
|
poradte mi co robim zle...
deny all from any to any out via $net //zakaze uplne vsetko, skusal som aj deny all from 192.168.0.0/24 ale vysledok rovnaky
iptables -A INPUT -m mac --mac-source 01-23-45-67-89-0A -s 192.168.0.1 -i ether1 -j ACCEPT // mac som skusal aj s : ale to iste.
ak to ulozim a aplikujem, mam uplny zakaz, ale podla toho co ste tu povedali hore by mala byt tato ip adresa opravnena na pristup do inetu. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 12.12.2005 - 14:23 #26355
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
najprv musis dat accept a az potom na zaver deny (teda tak to musi vyzerat vo vyslednej tabulke a kedze to davas cez -A tak vzdy pridavas nakoniec, tak aj v tom zapise to musis mat v takom poradit...)
lebo ako iste vies, aplikuje sa prve pravidlo ktore matchne |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 12.12.2005 - 17:39 #26360
|
|
Majster
Joined: Máj 12, 2004
Posts: 4579
Location: Bratislava
|
|
cize takto?
#povolime mac a zviazeme s ip
iptables -A INPUT -m mac --mac-source 01:23:45:67:89:0A -s 192.168.0.1 -i ether1 -j ACCEPT
#zakazeme vsetko ostatne
deny all from any to any out via $net
je to tak spravne? |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 12.12.2005 - 23:39 #26376
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
ak to deny ide cez -A tak ano |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 12:23 #26546
|
|
|
bud som blby alebo to neviem, presne podla tohto a stale mam zakazany net po tomto vsetkom. ten iptables nejako nefunguje.
to deny funguje perfektne... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 12:27 #26548
|
|
Guru
Joined: Dec 27, 2002
Posts: 1505
|
|
nezabudni po zmene restartovat AP |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 12:30 #26549
|
|
|
tak to je samozrejmostou... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 13:00 #26550
|
|
Basic
Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
|
|
star os som sice videl len 5min...
v tom iptables povolujes -A INPUT, tj pristup na ten stroj (na ten star os)
a ty potrebujes povolit aj FORWARD |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 13:54 #26555
|
|
|
iptables -A FORWARD -s 192.168.0.1 -j ACCEPT #tak toto mi funguje, akonahle tam pridam porovnavanie s MAC tak to neprejde a uplatni sa deny all.... nasiel som tu ze MAC treba zadavat s ::, to mam.
ak spravne chapem tak prepinac -m je vlastne match(ze co sa ma rovnat) MAC --mac-source 00:00:00:00:00:00.
teraz to je vlastne tak, ze su povolene len niektore IP smerom von, ale nezavisle na MAC. Cize ak niekto si da takuto IP tak ma inet. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 14:08 #26558
|
|
Basic
Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
|
|
hore spominas
iptables -A INPUT -m mac --mac-source 01-23-45-67-89-0A -s 192.168.0.1 -i ether1 -j ACCEPT
a takisto by malo byt ok
iptables -A FORWARD -m mac --mac-source 01-23-45-67-89-0A -s 192.168.0.1 -i ether1 -j ACCEPT
(akurat pozeram ze na linuxe sa mac dava v tvare 01:23:45:67:89:0A) |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 14:45 #26560
|
|
|
dik funguje to. vysledny tvar:
iptables -A FORWARD -S ip_adresa -m mac --mac-source MM:AA:CC:MM:AA:CC -j ACCEPT
deny all from any to any via $net #net je premanna na adapter do inetu.
este raz vdaka. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 19.12.2005 - 19:18 #26576
|
|
Basic
Joined: Júl 24, 2004
Posts: 240
|
|
Ok takze kde bola teda cely cas chyba... nejako mi to nedochadza...
len mac bola v zlom tvare?
a este taka otazka... nebolo by dobre dat tam aj ze cez aky interfejs to ma ist... napr. -i $net
PS: nema to byt nahodou ze ... FORWARD -s ...
lebo ty mas -S |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 02.01.2006 - 16:36 #27182
|
|
Majster
Joined: Máj 12, 2004
Posts: 4579
Location: Bratislava
|
|
andreas4all wrote: ›dik funguje to. vysledny tvar:
iptables -A FORWARD -S ip_adresa -m mac --mac-source MM:AA:CC:MM:AA:CC -j ACCEPT
deny all from any to any via $net #net je premanna na adapter do inetu.
este raz vdaka. mas tam chybu ma to byt
deny all from any to any out via $net |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 02.01.2006 - 16:51 #27184
|
|
|
nie je to chyba. deny all prom any to any via $net znemena ze aj dnu aj von. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering na StarOS
Posted: 02.01.2006 - 17:00 #27185
|
|
Majster
Joined: Máj 12, 2004
Posts: 4579
Location: Bratislava
|
|
andreas4all wrote: ›nie je to chyba. deny all prom any to any via $net znemena ze aj dnu aj von. no daj si syntax check a uvidis, mne to hadze chybu bez to out... |
|
|
|
|
|
|
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group Credits |