Gargoyle Forum

A forum to discuss the Gargoyle web interface for Openwrt
https://www.gargoyle-router.com/phpbb/

quota and mac addresses

https://www.gargoyle-router.com/phpbb/viewtopic.php?t=7937

Page 5 of 5

Re: quota and mac addresses

Posted: Wed Mar 02, 2016 6:28 am
by roadhawk
No, iptables doesn't accept that syntax. The ! needs to be before --mac-source, not after it, thus:

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
Whether it actually does what it is supposed to do is a different matter which I will test in 8 hours.

Re: quota and mac addresses

Posted: Wed Mar 02, 2016 6:51 am
by nworbnhoj
Really!!?
http://linux.die.net/man/8/iptables
mac

--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.
What am I missing??

Re: quota and mac addresses

Posted: Wed Mar 02, 2016 7:42 am
by roadhawk
From my raspbian jessie:

Code: Select all


jh@rpi01-jh:~ $man iptables-extensions
.
.
mac
[!] --mac-source address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains. 
.
.
Strange, because die.net is usually the reference.

Re: quota and mac addresses

Posted: Wed Mar 02, 2016 4:31 pm
by nworbnhoj
OK so that is weird - up until now I trusted man *

I have just tested on my TL-WDR3600 and indeed

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
Is the only syntax discussed above that does not raise an error from iptables after /etc/init.d/firewall restart

So let's work with this going forward and keep an eye out for errors on other platforms (just in case).

well done @roadhawk

Re: quota and mac addresses

Posted: Thu Mar 03, 2016 6:08 am
by Tareq
hi nworbnhoj,

i didn't understand, what can i do exactly to fix my issue ?

Now i use this the original gargoyle_firewall_util.sh file in my router.

Code: Select all

block_static_ip_mismatches()
{
	block_mismatches=$(uci get firewall.@defaults[0].block_static_ip_mismatches 2> /dev/null)
	delete_chain_from_table static_mismatch_check filter
	if [ "$block_mismatches" = "1" ] && [ -e /etc/ethers ] ; then
		local pairs
		pairs=$(cat /etc/ethers | sed '/^[ \t]*$/d' | awk ' { print $1"^"$2"\n" ; } ' )
		if [ -n "$pairs" ] ; then
			iptables -t filter -N static_mismatch_check
			local p
			for p in $pairs ; do
				local mac
				local ip
				mac=$(echo $p | sed 's/\^.*$//g')
				ip=$(echo $p | sed 's/^.*\^//g')
				if [ -n "$ip" ] && [ -n "$mac" ] ; then
					iptables -t filter -A static_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
				fi
			done
			iptables -t filter -I delegate_forward -j static_mismatch_check
		fi
	fi
}

Edit:
I really appreciate your efforts, so thank you.

Re: quota and mac addresses

Posted: Thu Mar 03, 2016 7:43 am
by nworbnhoj
Try adding a single line to your gargoyle_firewall_util.sh file

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
immediately below the existing similar "iptables" line in your post so that it looks like

Code: Select all

for p in $pairs ; do
   local mac
   local ip
   mac=$(echo $p | sed 's/\^.*$//g')
   ip=$(echo $p | sed 's/^.*\^//g')
   if [ -n "$ip" ] && [ -n "$mac" ] ; then
      iptables -t filter -A lease_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
      iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
   fi
done
and then restart the firewall with

Code: Select all

/etc/init.d/firewall restart

Re: quota and mac addresses

Posted: Tue Mar 29, 2016 11:34 am
by Tareq
Hi, nworbnhoj

Thank you man, it works fine.

Re: quota and mac addresses

Posted: Sat Dec 23, 2017 4:41 am
by Tareq

Code: Select all

for p in $pairs ; do
   local mac
   local ip
   mac=$(echo $p | sed 's/\^.*$//g')
   ip=$(echo $p | sed 's/^.*\^//g')
   if [ -n "$ip" ] && [ -n "$mac" ] ; then
      iptables -t filter -A lease_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
      iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
   fi
done

This code no longer works in the new update 1.10.0 .

please can you help.

Re: quota and mac addresses

Posted: Sat Dec 23, 2017 5:16 am
by Lantis
What evidence do you have to say it doesn't work? What exactly are you trying to do and what error are you encountering?

Re: quota and mac addresses

Posted: Sat Dec 23, 2017 6:03 am
by Tareq
Lantis wrote:What evidence do you have to say it doesn't work? What exactly are you trying to do and what error are you encountering?
I'm sorry, it is really work fine without that code.

I have files that I have customized for myself, and when i copied it to new version, i had a problem because i replaced "gargoyle_firewall_ultil.sh" file.

Now it is work fine without replacing that file.

Thank you.
All times are UTC-04:00
Page 5 of 5

Powered by phpBB® Forum Software © phpBB Limited