Re: iptables- block mac address

off by one wrote:
On Nov 9, 10:58 am, Pascal Hambourg <boite-a-s...@xxxxxxxxxxxxxxx>
wrote:

Hello,

off by one a écrit :


I am getting a lot of spam traffic. I see a million different ips
coming through my logs but one mac address so i want to block that mac
address. In my logs i see this:

Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
.
The mac address is the same.

Yes, and it is the MAC address of your internet gateway, so you don't
want to block it unless you want to block all traffic from internet. A
router uses its own MAC address when forwarding an IP packet.


So I tried this:

iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
88:08:00 -j DROP

And I got this error:

iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
88:08:00'
Try `iptables -h' or 'iptables --help' for more information.

What am I doing wrong?

You are misinterpreting what is shown as "MAC". It is not only the
source MAC address but the whole ethernet MAC header, including :
- the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
(Dell)
- the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
address (Netopia)
- the protocol type (2 bytes), 0x0800 for IPv4



That sounds correct. Is there a way I can get the mac address of the
computer spamming me?


No - and even if you could have it,
you cannot block it.

The MAC addresses are transferred in the local network
only. As soon as the IP packet traverses the first
router, the MAC addresses become irrelevant.

The spammers also use several different computers
with different IP addresses to send the spam to the
final destination. Most of the sending computers
are cracked boxes sending without their owners knowing
it.

You can follow the chain of IP addresses in the headers,
but the last one you can trust is the IP feeding your
mail server (usually the ISP's mail server for an usual
home computer user).

--

Tauno Voipio
tauno voipio (at) iki fi
.

Relevant Pages

  • Re: Ping Bill Gumbine
    ... Because Darrell is one of my heros, ... >Thanks, Mac, one look at the pix on the opening page and I knew I'll also be ... >those logs that my eyes say go but my back says no. ... height so that it wedged against the bottom of the truck tail gate.. ...
    (rec.crafts.woodturning)
  • Re: [SLE] Martian Source Help -SOLVED (Sort Of)
    ... Looking more carefully through the logs and an Ethereal trace, ... The machine sending the martian things is the one with the MAC address ... At the same time as the command. ...
    (SuSE)
  • Re: Just another OS X crash...
    ... Oh let me guess Mac Jihad... ... Post the crash reporter logs? ... Once in the Console application click on the 'Logs' button in the top left hand corner. ...
    (comp.sys.mac.advocacy)
  • Xmas Port Scan Attack From A Friendly Mac ??
    ... computers from my house. ... activity logs by using my Mac. ... I rarely look at the logs. ... SYN-ACK port scan attack from WAN detected. ...
    (comp.sys.mac.system)
  • Re: Sharing Linux printer with Mac
    ... >> 1) turn up your logging on at least the linux side if not the mac ... >> mac tries to connect. ... > isn't listening to anything but localhost, ... enable debugging for the logs and see if the ...
    (Debian-User)