Using MAC address in Firewall rules

Forums Network Management ZeroShell Using MAC address in Firewall rules

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
  • #41484

    I’m trying to use MAC addresses to restrict computers from accessing the internet. I create a rule in the Forward chain that applies to both routed and bridged packets. I set up a pretty generic rule that looks like:

    target prot opt in out source destination
    DROP all — * * MAC 00:18:F3:01:7A:D5

    I try to pass through the firewall with my test computer that has this MAC address and it passes fine, instead of getting dropped like it should. My only idea is that I have to be using DHCP services on the Zeroshell box for this to work, but that seems kind of silly. Any ideas? Thanks.


    Try to use this and see if it works:

    iptables -A FORWARD -m mac --mac-source 00:18:F3:01:7A:D5  -j DROP

    I tried it now both directly with IP tables and Web interface (don’t forget to save) and it worked fine. Version 1.0 beta 11


    I just tried it using both methods and neither of them worked. I am running Version 1.0 beta 11. If I look under “Connection Tracking” in the Firewall menu, I do not see any MAC addresses listed. Would there be some reason that Zeroshell is not checking the MAC address of the connections being made?


    Connection tracking works at layer 4. You cannot find MAC addresses because they are layer 2 addresses.
    Could you post a network diagram of your lan? is your client connected to Zeroshell on the same layer 2?



    I’m not exactly sure what you are asking when you say “the same layer 2”. My lan is pretty simple. The machine that I’m testing the MAC address rules with is connected like this:

    — Computer connected to a layer 2 switch.

    –That layer 2 switch is connected to a layer 3 core switch.

    –An Untangle Firewall box (it has two network interfaces set up in a bridged state) one interface is connected to the layer 3 switch, and the other is connected to the Zeroshell box.

    –The Zeroshell box has two is doing routing between it’s two network interfaces, one of which is connected to the Untangle Firewall, the other to the internet router.


    At this point I have to say that the only place where you could apply a MAC address filter is the layer 3 router connected to the switch. Zeroshell is not able to see the MAC address of the client because the first router breaks the layer 2 where it is connected.



    Thanks Fulvio for some reason I didn’t even think of that. I was looking at it so hard I forgot the obvious. Thanks everyone.



Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.