iptables- block mac address - Networking

This is a discussion on iptables- block mac address - Networking ; I am getting a lot of spam traffic. I see a million different ips coming through my logs but one mac address so i want to block that mac address. In my logs i see this: Nov 9 09:56:13 bilbo ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables- block mac address

  1. iptables- block mac address

    I am getting a lot of spam traffic. I see a million different ips
    coming through my logs but one mac address so i want to block that mac
    address. In my logs i see this:

    Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
    MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
    DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
    SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
    Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
    MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
    DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
    PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
    ..
    ..
    ..
    The mac address is the same. So I tried this:

    iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    88:08:00 -j DROP

    And I got this error:

    iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    88:08:00'
    Try `iptables -h' or 'iptables --help' for more information.

    What am I doing wrong?
    thanks


  2. Re: iptables- block mac address

    off by one wrote:
    > I am getting a lot of spam traffic. I see a million different ips
    > coming through my logs but one mac address so i want to block that mac
    > address. In my logs i see this:
    >
    > Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
    > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
    > DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
    > SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
    > Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
    > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
    > DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
    > PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
    > .
    > .
    > .
    > The mac address is the same. So I tried this:
    >
    > iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > 88:08:00 -j DROP
    >
    > And I got this error:
    >
    > iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > 88:08:00'
    > Try `iptables -h' or 'iptables --help' for more information.
    >
    > What am I doing wrong?
    > thanks
    >


    That's not the MAC address of your router/gateway is it?

    --
    Andy Ruddock
    ------------
    andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

  3. Re: iptables- block mac address

    Hello,

    off by one a écrit :
    > I am getting a lot of spam traffic. I see a million different ips
    > coming through my logs but one mac address so i want to block that mac
    > address. In my logs i see this:
    >
    > Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
    > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
    > DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
    > SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
    > Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
    > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
    > DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
    > PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
    > .
    > The mac address is the same.


    Yes, and it is the MAC address of your internet gateway, so you don't
    want to block it unless you want to block all traffic from internet. A
    router uses its own MAC address when forwarding an IP packet.

    > So I tried this:
    >
    > iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > 88:08:00 -j DROP
    >
    > And I got this error:
    >
    > iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > 88:08:00'
    > Try `iptables -h' or 'iptables --help' for more information.
    >
    > What am I doing wrong?


    You are misinterpreting what is shown as "MAC". It is not only the
    source MAC address but the whole ethernet MAC header, including :
    - the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
    (Dell)
    - the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
    address (Netopia)
    - the protocol type (2 bytes), 0x0800 for IPv4

  4. Re: iptables- block mac address

    On Nov 9, 10:58 am, Pascal Hambourg
    wrote:
    > Hello,
    >
    > off by one a écrit :
    >
    > > I am getting a lot of spam traffic. I see a million different ips
    > > coming through my logs but one mac address so i want to block that mac
    > > address. In my logs i see this:

    >
    > > Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
    > > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
    > > DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
    > > SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
    > > Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
    > > MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
    > > DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
    > > PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
    > > .
    > > The mac address is the same.

    >
    > Yes, and it is the MAC address of your internet gateway, so you don't
    > want to block it unless you want to block all traffic from internet. A
    > router uses its own MAC address when forwarding an IP packet.
    >
    > > So I tried this:

    >
    > > iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > > 88:08:00 -j DROP

    >
    > > And I got this error:

    >
    > > iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    > > 88:08:00'
    > > Try `iptables -h' or 'iptables --help' for more information.

    >
    > > What am I doing wrong?

    >
    > You are misinterpreting what is shown as "MAC". It is not only the
    > source MAC address but the whole ethernet MAC header, including :
    > - the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
    > (Dell)
    > - the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
    > address (Netopia)
    > - the protocol type (2 bytes), 0x0800 for IPv4



    That sounds correct. Is there a way I can get the mac address of the
    computer spamming me?


  5. Re: iptables- block mac address

    off by one wrote:
    > On Nov 9, 10:58 am, Pascal Hambourg
    > wrote:
    >
    >>Hello,
    >>
    >>off by one a écrit :
    >>
    >>
    >>>I am getting a lot of spam traffic. I see a million different ips
    >>>coming through my logs but one mac address so i want to block that mac
    >>>address. In my logs i see this:

    >>
    >>>Nov 9 09:56:13 bilbo kernel: smtp: IN=eth1 OUT=
    >>>MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=212.23.3.141
    >>>DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55752 DF PROTO=TCP
    >>>SPT=35854 DPT=25 WINDOW=5840 RES=0x00 ACK URGP=0
    >>>Nov 9 10:02:06 bilbo kernel: smtp: IN=eth1 OUT=
    >>>MAC=00:b0:d0:20:d2:90:00:0f:cc:89:0b:88:08:00 SRC=216.237.1.90
    >>>DST=xx.xx.xx.xx LEN=74 TOS=0x00 PREC=0x00 TTL=115 ID=58482 DF
    >>>PROTO=TCP SPT=64119 DPT=25 WINDOW=17268 RES=0x00 ACK PSH URGP=0
    >>>.
    >>>The mac address is the same.

    >>
    >>Yes, and it is the MAC address of your internet gateway, so you don't
    >>want to block it unless you want to block all traffic from internet. A
    >>router uses its own MAC address when forwarding an IP packet.
    >>
    >>
    >>> So I tried this:

    >>
    >>>iptables -A INPUT -m mac --mac-source 00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    >>>88:08:00 -j DROP

    >>
    >>>And I got this error:

    >>
    >>>iptables v1.3.6: Bad mac address `00:b0:d0:20:d2:90:00:0f:cc:89:0b:
    >>>88:08:00'
    >>>Try `iptables -h' or 'iptables --help' for more information.

    >>
    >>>What am I doing wrong?

    >>
    >>You are misinterpreting what is shown as "MAC". It is not only the
    >>source MAC address but the whole ethernet MAC header, including :
    >>- the destination address (6 bytes), 00:b0:d0:20:d2:90, your MAC address
    >>(Dell)
    >>- the source address (6 bytes), 00:0f:cc:89:0b:88, your gateway MAC
    >>address (Netopia)
    >>- the protocol type (2 bytes), 0x0800 for IPv4

    >
    >
    >
    > That sounds correct. Is there a way I can get the mac address of the
    > computer spamming me?



    No - and even if you could have it,
    you cannot block it.

    The MAC addresses are transferred in the local network
    only. As soon as the IP packet traverses the first
    router, the MAC addresses become irrelevant.

    The spammers also use several different computers
    with different IP addresses to send the spam to the
    final destination. Most of the sending computers
    are cracked boxes sending without their owners knowing
    it.

    You can follow the chain of IP addresses in the headers,
    but the last one you can trust is the IP feeding your
    mail server (usually the ISP's mail server for an usual
    home computer user).

    --

    Tauno Voipio
    tauno voipio (at) iki fi

+ Reply to Thread