Posted: Tue Oct 19, 2021 16:37 Post subject: "Problem with specified source mac" NetFilter erro
I get an identical error on at least 3 Linux/Debian server devices when it comes to filtering a specific MAC address using EBTables (not the same as IPTables) that filter Layer 2. I simply want to use EBTables to bind a specific local IP address to a specific MAC address. I use the same command for all clients with success, except for one.
Here's the command:
Code:
ebtables -A FORWARD -p 0x0800 --ip-src X.X.X.X -s ! X:X:X:X:X:X -j DROP
This is error:
Code:
Problem with specified source mac 'X.X.X.X.X.X'
There are no typos and the MAC address is both registered, valid, not spoofed, and has no problems with IPTables. Only EBTables spits out that error. What can it be? Is there some debugging I can perform? Is there some EBTables error reference help page? Can it be some malicious host? I can't find any reference to that exact error...
Are there Netfilter tools newer than EBTables that work on Layer 2?
Last edited by MonarchX on Tue Oct 19, 2021 20:06; edited 1 time in total
I know w/ iptables, the following syntax is no longer permitted (although it was for the longest time).
Code:
-s ! x.x.x.x
All such negation must now precede the option itself, NOT the argument.
Code:
! -s x.x.x.x
I don't use ebtables much, so I'm just theorizing that maybe the same thing has happened w/ it as well.
Thanks! I found the problem... For some reason that command was in UTF-8 instead of ANSI. If converted to ANSI, extra characters came up for the MAC address. Funny how SSH didn't differentiate and didn't visibly show extra characters.
For IPTables, am I using the correct/modern syntax?
Code:
iptables -A FORWARD -s X.X.X.X -m mac ! --mac-source X.X.X.X -j DROP
This is a bit off-topic, but when reading examples of anti-spoofing rules, examples mostly include source forwarding rules. Shouldn't anti-spoofing rules cover all directions? EBTables support syntax to bind source and destination MAC addresses to input, forwarding, and output. IPTables can bind MAC addresses only to input source and forwarding source.
I assume to cover everything, such rules would be:
EBTables
Code:
ebtables -P INPUT DROP
ebtables -A INPUT -p ARP -s X:X:X:X:X:X -j ACCEPT
ebtables -A INPUT -p IPv4 -s X:X:X:X:X:X -j ACCEPT
ebtables -A INPUT -p IPv4 --ip-src X.X.X.X ! -s X:X:X:X:X:X -j DROP
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ARP -s X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p ARP -d X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 -s X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 -d X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 --ip-src X.X.X.X ! -s X:X:X:X:X:X -j DROP
ebtables -A FORWARD -p IPv4 --ip-dst X.X.X.X ! -d X:X:X:X:X:X -j DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p ARP -d X:X:X:X:X:X -j ACCEPT
ebtables -A OUTPUT -p IPv4 -d X:X:X:X:X:X -j ACCEPT
ebtables -A OUTPUT -p IPv4 --ip-dst X.X.X.X ! -d X:X:X:X:X:X -j DROP
IPTables
Code:
iptables -P INPUT DROP
iptables -A INPUT -s X.X.X.X -j ACCEPT
iptables -A INPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s X.X.X.X -m mac ! --mac-source X:X:X:X:X:X -j DROP
iptables -P FORWARD DROP
iptables -A FORWARD -s X.X.X.X -j ACCEPT
iptables -A FORWARD -d X.X.X.X -j ACCEPT
iptables -A FORWARD -s X.X.X.X -m mac ! --mac-source X:X:X:X:X:X -j DROP
iptables -P OUTPUT DROP
iptables -A OUTPUT -s X.X.X.X -j ACCEPT
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
