Find the answer to your Linux question:
Results 1 to 3 of 3
I'm beginning to suspect what I'm attempting is impossible, but will ask, incase I'm missing something obvious. I have a machine behind a nat firewall, which has ssh (port 22) ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2

    iptables mac filter behind a primary NAT firewall


    I'm beginning to suspect what I'm attempting is impossible, but will ask, incase I'm missing something obvious.

    I have a machine behind a nat firewall, which has ssh (port 22) forwarded to it over nat, Im attempting to filter those ssh connections using iptables mac filtering, but all the macs the machine receives are those of the nat machine, not of the origin point of the connection. Is it possible to determine the mac address of the origin post nat/forwarding, and use that in a filter?

    Meshur.

  2. #2
    Just Joined!
    Join Date
    Sep 2008
    Posts
    5
    Hello Meshur,

    It's been a long time since I have played with Iptables, but one thing that escapes many people, is that the order of the rules that you implement is important.

    I suspect you should be able to implement what you want by introducing a set of rules that first filter by MAC, then by port if necessary snf then to do the NAT as needed.

    If the packets fail the MAC test they should be dropped on the ground and similarly by port ...

    If the packets pass all previous scrutiny, then do the NAT.

    Again, remember that ordering of the rules is important.

    Cheers

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2
    Thanks Prime,

    Aye that would work if the NAT was performed on the same machine Im trying to mac filter on, but the NAT happens on a hardware firewall at the boundary of our network, and its not something I can integrate rules into.

    I could of course ditch the current hardware firewall and deploy an iptables/nat dedicated linux box, but thats a step I was hoping to avoid. Looking alot more like I cant avoid it.

    Meshur.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •