"Problem with specified source mac" NetFilter erro

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue Oct 19, 2021 16:37    Post subject: "Problem with specified source mac" NetFilter erro Reply with quote
I get an identical error on at least 3 Linux/Debian server devices when it comes to filtering a specific MAC address using EBTables (not the same as IPTables) that filter Layer 2. I simply want to use EBTables to bind a specific local IP address to a specific MAC address. I use the same command for all clients with success, except for one.

Here's the command:
Code:
ebtables -A FORWARD -p 0x0800 --ip-src X.X.X.X -s ! ‎X:X:X:X:X:X -j DROP


This is error:
Code:
Problem with specified source mac '‎X.X.X.X.X.X'


There are no typos and the MAC address is both registered, valid, not spoofed, and has no problems with IPTables. Only EBTables spits out that error. What can it be? Is there some debugging I can perform? Is there some EBTables error reference help page? Can it be some malicious host? I can't find any reference to that exact error...

Are there Netfilter tools newer than EBTables that work on Layer 2?


Last edited by MonarchX on Tue Oct 19, 2021 20:06; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8997

PostPosted: Tue Oct 19, 2021 16:58    Post subject: Reply with quote
I know w/ iptables, the following syntax is no longer permitted (although it was for the longest time).

Code:
-s ! ‎x.x.x.x


All such negation must now precede the option itself, NOT the argument.

Code:
! -s x.x.x.x


I don't use ebtables much, so I'm just theorizing that maybe the same thing has happened w/ it as well.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh * ddwrt-ovpn-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue Oct 19, 2021 19:55    Post subject: Reply with quote
eibgrad wrote:
I know w/ iptables, the following syntax is no longer permitted (although it was for the longest time).

Code:
-s ! ‎x.x.x.x


All such negation must now precede the option itself, NOT the argument.

Code:
! -s x.x.x.x


I don't use ebtables much, so I'm just theorizing that maybe the same thing has happened w/ it as well.


Thanks! I found the problem... For some reason that command was in UTF-8 instead of ANSI. If converted to ANSI, extra characters came up for the MAC address. Funny how SSH didn't differentiate and didn't visibly show extra characters.

For IPTables, am I using the correct/modern syntax?
Code:
iptables -A FORWARD -s X.X.X.X -m mac ! --mac-source X.X.X.X -j DROP
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8997

PostPosted: Tue Oct 19, 2021 20:30    Post subject: Reply with quote
MonarchX wrote:
For IPTables, am I using the correct/modern syntax?
Code:
iptables -A FORWARD -s X.X.X.X -m mac ! --mac-source X.X.X.X -j DROP


In so far as the negation, yes. But of course, the MAC address itself would be XX:XX:XX:XX:XX:XX.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh * ddwrt-ovpn-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Wed Oct 27, 2021 10:37    Post subject: Reply with quote
This is a bit off-topic, but when reading examples of anti-spoofing rules, examples mostly include source forwarding rules. Shouldn't anti-spoofing rules cover all directions? EBTables support syntax to bind source and destination MAC addresses to input, forwarding, and output. IPTables can bind MAC addresses only to input source and forwarding source.

I assume to cover everything, such rules would be:

EBTables
Code:
ebtables -P INPUT DROP
ebtables -A INPUT -p ARP -s X:X:X:X:X:X -j ACCEPT
ebtables -A INPUT -p IPv4 -s X:X:X:X:X:X -j ACCEPT
ebtables -A INPUT -p IPv4 --ip-src X.X.X.X ! -s X:X:X:X:X:X -j DROP
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ARP -s X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p ARP -d X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 -s X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 -d X:X:X:X:X:X -j ACCEPT
ebtables -A FORWARD -p IPv4 --ip-src X.X.X.X ! -s X:X:X:X:X:X -j DROP
ebtables -A FORWARD -p IPv4 --ip-dst X.X.X.X ! -d X:X:X:X:X:X -j DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p ARP -d X:X:X:X:X:X -j ACCEPT
ebtables -A OUTPUT -p IPv4 -d X:X:X:X:X:X -j ACCEPT
ebtables -A OUTPUT -p IPv4 --ip-dst X.X.X.X ! -d X:X:X:X:X:X -j DROP


IPTables
Code:
iptables -P INPUT DROP
iptables -A INPUT -s X.X.X.X -j ACCEPT
iptables -A INPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s X.X.X.X -m mac ! --mac-source X:X:X:X:X:X -j DROP
iptables -P FORWARD DROP
iptables -A FORWARD -s X.X.X.X -j ACCEPT
iptables -A FORWARD -d X.X.X.X -j ACCEPT
iptables -A FORWARD -s X.X.X.X -m mac ! --mac-source X:X:X:X:X:X -j DROP
iptables -P OUTPUT DROP
iptables -A OUTPUT -s X.X.X.X -j ACCEPT
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum