* Re[2]: MAC/IP PAIR MATCH
2006-01-30 17:30 ` Boryan Yotov
@ 2004-01-21 5:46 ` Iwan Fauzie
2006-01-30 19:43 ` Sorin Panca
1 sibling, 0 replies; 6+ messages in thread
From: Iwan Fauzie @ 2004-01-21 5:46 UTC (permalink / raw)
To: netfilter
Hello Boryan,
Tuesday, January 31, 2006, 12:30:35 AM, you wrote:
> Iwan Fauzie wrote:
>> Hello Boryan,
>>
>> Thanks for you help Boryan.
>>
>> Please see http://www.netservers.co.uk/gpl/ this patch IPtables MAC/IP
>> pair match
>>
>> This patch to help prevent users from:
>>
>> - users have not changed their IP address to conflict with or spoof
>> others users
>> - Users have not changed their MAC address (e.g. new network cards
>> MAC spoofing or NAT)
>>
>>
>> Friday, January 27, 2006, 9:17:48 PM, you wrote:
>>
>>
>>>Iwan Fauzie wrote:
>>>
>>>>Hello,
>>>>
>>>>I would like to patch mac/ip pair match, how to do that? any body help me
>>>>
>>
>>
>>>If you want to match IP against MAC address, then check the iptables's
>>>_mac_ match:
>>
>>
>>># iptables -m mac -help
>>
>>
>>>Example: rule for forwarding packets matching certain IP/MAC pair is:
>>
>>
>>># iptables -A FORWARD -s <IP _address> -m -mac --mac-source <MAC
>>
>> address>> -j ACCEPT
>>
>>
>>>... but if you want to "patch a match", then you need to specify a bit
>>>more detailed what are you trying to do.
>>
>>
>>>The _mac_ match exist into the default iptables source (./extensions)
>>>e.g. you don't need to patch anything. Just install iptables and enable
>>>the match inside your kernel's .config file (CONFIG_IP_NF_MATCH_MAC=y)
>>>and finally recompile (and install) the new kernel.
>>
>>
> Personally I never used the iptables patch you mentioned above.
> But looking at its tarball content it seems to be a 2.4.xx kernel
> patch, for a kernel patched with iptables (probably 1.2.x).
> Follow this steps (not the smartest one) in order to install it:
> =================================================================
> STEP 1: Patching the kernel
> =================================================================
> The file with the sources (macmatch.patch) is a diff on a patched
> kernel, so you could apply it to an existing kernel tree easily.
> Just go to where you current kernel source is located (I suppose
> it is into:
> # cd /usr/src/linux
> Make sure it is already patched with iptables (recent kernels are
> by default). To apply the "macmatch.patch" patch simply type:
> # patch -p1 < /<Patch_Location >/macmatch.patch
> The result from the patch command must look like:
> patching file include/linux/netfilter_ipv4/ipt_macmatch.h
> patching file net/ipv4/netfilter/ipt_macmatch.c
> The configuration and make files are not a diff, so the fastest
> way to apply them, is to edit the corresponding files manually:
> -----------------------------------------------------------------
> "macmatch.patch.config.in"
> -----------------------------------------------------------------
> Its content goes to "/usr/src/linux/net/ipv4/netfilter/Config.in"
> Find the line from "Config.in" which says:
> dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC
> $CONFIG_IP_NF_IPTABLES
> ... and replace it (the line only) with the content of the
> macmatch.patch.config.in:
> dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC
> $CONFIG_IP_NF_IPTABLES
> dep_tristate ' MAC/IP pair match support'
> CONFIG_IP_NF_MATCH_MACMATCH $CONFIG_IP_NF_IPTABLES
> -----------------------------------------------------------------
> "macmatch.patch.makefile"
> -----------------------------------------------------------------
> Its content goes to "/usr/src/linux/net/ipv4/netfilter/Makefile"
> Find the line from "Makefile" which says:
> obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
> ... and replace it (the line only) with the content of the
> macmatch.patch.makefile:
> obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
> obj-$(CONFIG_IP_NF_MATCH_MACMATCH) += ipt_macmatch.o
> -----------------------------------------------------------------
> "macmatch.patch.configure.help"
> -----------------------------------------------------------------
> This is optional and only for convenience. You'll need it if you
> want a help entry for the macmatch kernel configuration option.
> Its content (starting from the second line) should go as an entry
> into "/usr/src/linux/Documentation/Configure.help".
> =================================================================
> STEP 2: Patching iptables
> =================================================================
> Once you have you kernel tree ready its time to let know iptables
> about the macmatch existence:
> Go to your iptables source tree location. I'll suppose it is into
> #cd /usr/local/src/iptables-1.xx.yy
> Copy both "libipt_macmatch.c" and ".macmatch-test" files from the
> macmatch tree into:
> #cp <file1> <file2> /usr/local/src/iptables-1.xx.yy/extensions
> And finally compile and install iptables.
> make KERNEL_DIR=/usr/src/linux
> make install KERNEL_DIR=/usr/src/linux
> =================================================================
> STEP 3: Enable the patch into the kernel config file
> =================================================================
> Add the following line into "/usr/src/linux/.config" :
> CONFIG_IP_NF_MATCH_MACMATCH=y
> ... in order to build the patch static into the kernel
> or
> CONFIG_IP_NF_MATCH_MACMATCH=m
> ... if you need it as loadable module.
> Finally recompile the kernel, load it and reboot.
> Hope this helps.
Thanks Boryan, I hope this helps my problem
--
Best regards,
Iwan mailto:iwan@gorontalo.net
^ permalink raw reply [flat|nested] 6+ messages in thread
* MAC/IP PAIR MATCH
@ 2006-01-27 7:52 Iwan Fauzie
2006-01-27 14:17 ` Boryan Yotov
0 siblings, 1 reply; 6+ messages in thread
From: Iwan Fauzie @ 2006-01-27 7:52 UTC (permalink / raw)
To: netfilter
Hello,
I would like to patch mac/ip pair match, how to do that? any body help me
--
Best regards,
Iwan mailto:iwan@gorontalo.net
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: MAC/IP PAIR MATCH
2006-01-27 7:52 MAC/IP PAIR MATCH Iwan Fauzie
@ 2006-01-27 14:17 ` Boryan Yotov
2006-01-28 9:12 ` Re[2]: " Iwan Fauzie
0 siblings, 1 reply; 6+ messages in thread
From: Boryan Yotov @ 2006-01-27 14:17 UTC (permalink / raw)
To: netfilter
Iwan Fauzie wrote:
> Hello,
>
> I would like to patch mac/ip pair match, how to do that? any body help me
>
If you want to match IP against MAC address, then check the iptables's
_mac_ match:
# iptables -m mac -help
Example: rule for forwarding packets matching certain IP/MAC pair is:
# iptables -A FORWARD -s <IP _address> -m -mac --mac-source <MAC
address> -j ACCEPT
... but if you want to "patch a match", then you need to specify a bit
more detailed what are you trying to do.
The _mac_ match exist into the default iptables source (./extensions)
e.g. you don't need to patch anything. Just install iptables and enable
the match inside your kernel's .config file (CONFIG_IP_NF_MATCH_MAC=y)
and finally recompile (and install) the new kernel.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re[2]: MAC/IP PAIR MATCH
2006-01-27 14:17 ` Boryan Yotov
@ 2006-01-28 9:12 ` Iwan Fauzie
2006-01-30 17:30 ` Boryan Yotov
0 siblings, 1 reply; 6+ messages in thread
From: Iwan Fauzie @ 2006-01-28 9:12 UTC (permalink / raw)
To: netfilter
Hello Boryan,
Thanks for you help Boryan.
Please see http://www.netservers.co.uk/gpl/ this patch IPtables MAC/IP
pair match
This patch to help prevent users from:
- users have not changed their IP address to conflict with or spoof
others users
- Users have not changed their MAC address (e.g. new network cards
MAC spoofing or NAT)
Friday, January 27, 2006, 9:17:48 PM, you wrote:
> Iwan Fauzie wrote:
>> Hello,
>>
>> I would like to patch mac/ip pair match, how to do that? any body help me
>>
> If you want to match IP against MAC address, then check the iptables's
> _mac_ match:
> # iptables -m mac -help
> Example: rule for forwarding packets matching certain IP/MAC pair is:
> # iptables -A FORWARD -s <IP _address> -m -mac --mac-source <MAC
address>> -j ACCEPT
> ... but if you want to "patch a match", then you need to specify a bit
> more detailed what are you trying to do.
> The _mac_ match exist into the default iptables source (./extensions)
> e.g. you don't need to patch anything. Just install iptables and enable
> the match inside your kernel's .config file (CONFIG_IP_NF_MATCH_MAC=y)
> and finally recompile (and install) the new kernel.
--
Best regards,
Iwan mailto:iwan@gorontalo.net
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: MAC/IP PAIR MATCH
2006-01-28 9:12 ` Re[2]: " Iwan Fauzie
@ 2006-01-30 17:30 ` Boryan Yotov
2004-01-21 5:46 ` Re[2]: " Iwan Fauzie
2006-01-30 19:43 ` Sorin Panca
0 siblings, 2 replies; 6+ messages in thread
From: Boryan Yotov @ 2006-01-30 17:30 UTC (permalink / raw)
To: netfilter
Iwan Fauzie wrote:
> Hello Boryan,
>
> Thanks for you help Boryan.
>
> Please see http://www.netservers.co.uk/gpl/ this patch IPtables MAC/IP
> pair match
>
> This patch to help prevent users from:
>
> - users have not changed their IP address to conflict with or spoof
> others users
> - Users have not changed their MAC address (e.g. new network cards
> MAC spoofing or NAT)
>
>
> Friday, January 27, 2006, 9:17:48 PM, you wrote:
>
>
>>Iwan Fauzie wrote:
>>
>>>Hello,
>>>
>>>I would like to patch mac/ip pair match, how to do that? any body help me
>>>
>
>
>>If you want to match IP against MAC address, then check the iptables's
>>_mac_ match:
>
>
>># iptables -m mac -help
>
>
>>Example: rule for forwarding packets matching certain IP/MAC pair is:
>
>
>># iptables -A FORWARD -s <IP _address> -m -mac --mac-source <MAC
>
> address>> -j ACCEPT
>
>
>>... but if you want to "patch a match", then you need to specify a bit
>>more detailed what are you trying to do.
>
>
>>The _mac_ match exist into the default iptables source (./extensions)
>>e.g. you don't need to patch anything. Just install iptables and enable
>>the match inside your kernel's .config file (CONFIG_IP_NF_MATCH_MAC=y)
>>and finally recompile (and install) the new kernel.
>
>
Personally I never used the iptables patch you mentioned above.
But looking at its tarball content it seems to be a 2.4.xx kernel
patch, for a kernel patched with iptables (probably 1.2.x).
Follow this steps (not the smartest one) in order to install it:
=================================================================
STEP 1: Patching the kernel
=================================================================
The file with the sources (macmatch.patch) is a diff on a patched
kernel, so you could apply it to an existing kernel tree easily.
Just go to where you current kernel source is located (I suppose
it is into:
# cd /usr/src/linux
Make sure it is already patched with iptables (recent kernels are
by default). To apply the "macmatch.patch" patch simply type:
# patch -p1 < /<Patch_Location >/macmatch.patch
The result from the patch command must look like:
patching file include/linux/netfilter_ipv4/ipt_macmatch.h
patching file net/ipv4/netfilter/ipt_macmatch.c
The configuration and make files are not a diff, so the fastest
way to apply them, is to edit the corresponding files manually:
-----------------------------------------------------------------
"macmatch.patch.config.in"
-----------------------------------------------------------------
Its content goes to "/usr/src/linux/net/ipv4/netfilter/Config.in"
Find the line from "Config.in" which says:
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC
$CONFIG_IP_NF_IPTABLES
... and replace it (the line only) with the content of the
macmatch.patch.config.in:
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC
$CONFIG_IP_NF_IPTABLES
dep_tristate ' MAC/IP pair match support'
CONFIG_IP_NF_MATCH_MACMATCH $CONFIG_IP_NF_IPTABLES
-----------------------------------------------------------------
"macmatch.patch.makefile"
-----------------------------------------------------------------
Its content goes to "/usr/src/linux/net/ipv4/netfilter/Makefile"
Find the line from "Makefile" which says:
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
... and replace it (the line only) with the content of the
macmatch.patch.makefile:
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_MACMATCH) += ipt_macmatch.o
-----------------------------------------------------------------
"macmatch.patch.configure.help"
-----------------------------------------------------------------
This is optional and only for convenience. You'll need it if you
want a help entry for the macmatch kernel configuration option.
Its content (starting from the second line) should go as an entry
into "/usr/src/linux/Documentation/Configure.help".
=================================================================
STEP 2: Patching iptables
=================================================================
Once you have you kernel tree ready its time to let know iptables
about the macmatch existence:
Go to your iptables source tree location. I'll suppose it is into
#cd /usr/local/src/iptables-1.xx.yy
Copy both "libipt_macmatch.c" and ".macmatch-test" files from the
macmatch tree into:
#cp <file1> <file2> /usr/local/src/iptables-1.xx.yy/extensions
And finally compile and install iptables.
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux
=================================================================
STEP 3: Enable the patch into the kernel config file
=================================================================
Add the following line into "/usr/src/linux/.config" :
CONFIG_IP_NF_MATCH_MACMATCH=y
... in order to build the patch static into the kernel
or
CONFIG_IP_NF_MATCH_MACMATCH=m
... if you need it as loadable module.
Finally recompile the kernel, load it and reboot.
Hope this helps.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: MAC/IP PAIR MATCH
2006-01-30 17:30 ` Boryan Yotov
2004-01-21 5:46 ` Re[2]: " Iwan Fauzie
@ 2006-01-30 19:43 ` Sorin Panca
1 sibling, 0 replies; 6+ messages in thread
From: Sorin Panca @ 2006-01-30 19:43 UTC (permalink / raw)
To: Boryan Yotov; +Cc: netfilter
Hi!
This rule is not correctly witten:
# iptables -A FORWARD -s <IP _address> -m -mac --mac-source
<MACaddress>> -j ACCEPT
It should be:
iptables -A FORWARD -s $IP -m mac --mac-source $MAC -j ACCEPT
HTH
Sorin.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-01-30 19:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-01-27 7:52 MAC/IP PAIR MATCH Iwan Fauzie
2006-01-27 14:17 ` Boryan Yotov
2006-01-28 9:12 ` Re[2]: " Iwan Fauzie
2006-01-30 17:30 ` Boryan Yotov
2004-01-21 5:46 ` Re[2]: " Iwan Fauzie
2006-01-30 19:43 ` Sorin Panca
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.