Good day

Situation: there is a lokalka, and there is a gateway between the lokalka and the Internet that provides dns, nat. White IP is static. Forward allowed between interfaces.

Necessary: ​​make a ban using iptables for Mac for outgoing and incoming Internet traffic (conventionally all traffic that goes from the "white" static IP) to a device with the corresponding Mac.

General policy is all allowed.

I ask for help. not strong in iptables.

I tried iptables -I INPUT -m mac --mac-source 33: 33: 33: 33: 33: 33 -d 192.192.192.11 -j DROP (does not work)

up: I admit that the general prohibition should be in the PREROUTING "grid", because the filter can work immediately after removing the NAT header from the packet and comparing it with the recipient's hash in LAN (essentially nat'a and the mechanism of accounting for gray addresses) on the stack)

rule list on gateway

Chain INPUT (policy ACCEPT 17M packets, 1966M bytes) num pkts bytes target prot opt in out source destination 1 1293 71064 fail2ban-ssh-ddos tcp -- any any anywhere anywhere multiport dports ssh 2 1293 71064 fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh 3 1293 71064 fail2ban-ssh-ddos tcp -- any any anywhere anywhere multiport dports ssh 4 1293 71064 fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh 5 93M 11G ufw-before-logging-input all -- any any anywhere anywhere 6 93M 11G ufw-before-input all -- any any anywhere anywhere 7 93M 11G ufw-after-input all -- any any anywhere anywhere 8 93M 11G ufw-after-logging-input all -- any any anywhere anywhere 9 93M 11G ufw-reject-input all -- any any anywhere anywhere 10 93M 11G ufw-track-input all -- any any anywhere anywhere 11 20093 1315K ACCEPT all -- lo any anywhere anywhere 12 0 0 ACCEPT tcp -- eth2 any anywhere anywhere tcp dpt:http-alt 13 1976 100K ACCEPT tcp -- any any anywhere anywhere tcp dpts:6881:6999 Chain FORWARD (policy ACCEPT 484M packets, 418G bytes) num pkts bytes target prot opt in out source destination 1 2835M 2399G ufw-before-logging-forward all -- any any anywhere anywhere 2 2835M 2399G ufw-before-forward all -- any any anywhere anywhere 3 2835M 2399G ufw-after-forward all -- any any anywhere anywhere 4 2835M 2399G ufw-after-logging-forward all -- any any anywhere anywhere 5 2835M 2399G ufw-reject-forward all -- any any anywhere anywhere 6 2835M 2399G ufw-track-forward all -- any any anywhere anywhere 7 56M 8253M ACCEPT all -- eth0 eth2 anywhere anywhere 8 104M 127G ACCEPT all -- eth2 any anywhere anywhere state RELATED,ESTABLISHED 9 0 0 REJECT all -- eth2 eth0 anywhere anywhere reject-with icmp-port-unreachable 10 1322 71311 ACCEPT tcp -- eth2 any anywhere video-server tcp dpt:http-alt 11 8832K 1479M ACCEPT all -- eth4 eth2 anywhere anywhere 12 0 0 REJECT all -- eth2 eth4 anywhere anywhere reject-with icmp-port-unreachable 13 0 0 ACCEPT tcp -- any any 192.168.0.1 anywhere tcp dpts:6881:6889 Chain OUTPUT (policy ACCEPT 17M packets, 23G bytes) num pkts bytes target prot opt in out source destination 1 92M 111G ufw-before-logging-output all -- any any anywhere anywhere 2 92M 111G ufw-before-output all -- any any anywhere anywhere 3 92M 111G ufw-after-output all -- any any anywhere anywhere 4 92M 111G ufw-after-logging-output all -- any any anywhere anywhere 5 92M 111G ufw-reject-output all -- any any anywhere anywhere 6 92M 111G ufw-track-output all -- any any anywhere anywhere 7 1971 78840 ACCEPT tcp -- any any anywhere anywhere tcp spts:6881:6999 Chain fail2ban-ssh (2 references) num pkts bytes target prot opt in out source destination 1 2586 142K RETURN all -- any any anywhere anywhere 2 0 0 RETURN all -- any any anywhere anywhere Chain fail2ban-ssh-ddos (2 references) num pkts bytes target prot opt in out source destination 1 2586 142K RETURN all -- any any anywhere anywhere 2 0 0 RETURN all -- any any anywhere anywhere Chain ufw-after-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-after-logging-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-after-logging-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-after-logging-output (1 references) num pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-logging-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) num pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) num pkts bytes target prot opt in out source destination Chain ufw-reject-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) num pkts bytes target prot opt in out source destination Chain ufw-track-forward (1 references) num pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) num pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) num pkts bytes target prot opt in out source destination

    1 answer 1

    Suppose there are two interfaces eth0 (“white” static) and eth1 (looking to the local network) on the gateway.

    In the local network there is a host that should be banned from going through the gateway. Its mac address is 00: 11: 22: aa: bb: cc.

    The ban will look like this:

     iptables -A INPUT -i eth1 -m mac --mac-source 00:11:22:aa:bb:cc -j REJECT

    Update .

    For a good look to another chain PREROUTING gateway.

    But as a variant of the scientific method, you can put a rule in the FORWARD chain prohibiting the transfer of packets from the interface to which video surveillance is connected to the interface with the “Internet” and insert it in the 7th account.

    Something like this:

     iptables -I FORWARD 7 -i ethX -o ethY -m mac --mac-source 00:11:22:aa:bb:cc -j REJECT
    • a complete ban on the use of packets through the gateway for the host is not necessary. The host needs a local network, because it is a client for a location and a macrocrop (video surveillance), ONLY a ban on output / input traffic on the Internet for this machine is needed. That is the general rule - you can go wherever you want within the framework of a lokalka and beyond it - it is impossible. - Spouk pm
    • @Spouk Do you have all traffic from this host wrapped through the gateway? And if, for example, to turn off the gateway, then the host will no longer see the LAN? Show all your iptables gateway rules. - de_frag
    • Yes, the host through the switch is tied to the interface on the gateway. And yes, if you cut off the gateway lokalka "fall." - Spouk
    • @Spouk such a configuration of course changes the decision. If no one writes the answer - on Monday I will look at the details. - de_frag
    • @Spouk added to the update. - de_frag