#MAC Filter
#insmod ipt_mac
iptables -N CMACFILTER
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -m limit --limit 2/min -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER
It works, it's perfect, exactly what I needed. Thanks so much Wildlion
There is logging too? nice! I already have syslog turned on, didn't see drop there, I turned on logging in security too,nope... where are MAC DROP logs going? _________________ DD-WRT v3.0-r40270M kongac Netgear R7000
This was me trying to do some dns lookups after I set a static ip address, since dhcp requests will be dropped as well. (I have syslog on)
To be honest, I think that the logging capabilities in DD-WRT have been reduced. (someone correct me if I am wrong)
you might need to take off the "-m limit --limit 2/min" on the logging line
It is also possible that since I am not using the proper DD-WRT method of jumping to the logdrop or logreject chain, something is not setup correctly (or it is not turned on)
So a thought would be change the lines to be:
Code:
#MAC Filter
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j logdrop
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER
I have not tried this but I think it should work. Then if you turn on logging for the firewall, I *think* it will show up.
yes, stuff did show in dmsg, SRC DEST and MAC. That did not show in dd-wrt syslog, or external syslog server.
I already changed it to logdrop... then you get a drop message in the outbound security log. But there's no MAC logged, so there's really no point logging that there, for me anyway.
That's ok, it does what it needs to do, logging was just a bonus I didn't see coming I'll work on it a bit more on the weekend if I can, and try without "-m limit --limit 2/min"