Forums

Alexander
Alexander
Offline
Resolved
0 votes
Hi.
I want to block outgoing traffic by 445 port for MAC address. Can i get a help?

This rule don't works. I don't know why.

iptables -A OUTPUT -p tcp --destination-port 445 -m mac --mac-source 70:4d:7b:6f:2b:60 -j DROP
Wednesday, July 10 2019, 08:02 AM
Share this post:
Responses (8)
  • Accepted Answer

    Saturday, July 13 2019, 06:53 AM - #Permalink
    Resolved
    0 votes
    If you know the MAC address but not the IP, why not use
    arp -a

    That'll give you all the MAC/IP pairings on the network
    (that's assuming of course that the machine does have a valid IP address)

    Alternatively, if you've switches with IP addresses in the way, tracert would give you the route to the target machine .. that might help you to track down it's location
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 11 2019, 07:34 AM - #Permalink
    Resolved
    0 votes
    "$IPTABLES" doen not work at the command line. You have to use "iptables" there. It should, however, be used in the custom firewall.
    The reply is currently minimized Show
  • Accepted Answer

    Alexander
    Alexander
    Offline
    Thursday, July 11 2019, 05:48 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    You can't reboot the connection remotely. If you block both the INPUT and FORWARD chain (please use $IPTABLES and not iptables), then you will restrict his working more and he may contact you sooner. You can't stop his DCHP lease until it expires and, if he has a static IP, he will never need to renew his lease.


    Thanks for advice, but $IPTABLES is not working. Command is not permitted.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 10 2019, 01:33 PM - #Permalink
    Resolved
    0 votes
    You can't reboot the connection remotely. If you block both the INPUT and FORWARD chain (please use $IPTABLES and not iptables), then you will restrict his working more and he may contact you sooner. You can't stop his DCHP lease until it expires and, if he has a static IP, he will never need to renew his lease.
    The reply is currently minimized Show
  • Accepted Answer

    Alexander
    Alexander
    Offline
    Wednesday, July 10 2019, 01:13 PM - #Permalink
    Resolved
    0 votes
    I have 1 idea.
    Can i block all traffic of MAC address? Yes, i can.

    iptables -I INPUT -m mac --mac-source MAC -j REJECT

    This rule works fine, but i need to reboot network connection on that PC. DHCP don't give lease ip to this computer and user of that computer will ask me to help cuz he will not have internet connection = we found this computer.

    But idk how can i reboot network connection remotely. Maybe i could wait until the lease IP time is over....
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 10 2019, 10:53 AM - #Permalink
    Resolved
    0 votes
    I'm afraid that won't help. If everything is on the same LAN segment, traffic does not pass through the firewall. Your switch will handle it directly. All your block will do is stop the traffic going onto the internet and most sysadmins will not allow incoming tcp:445 traffic from the internet.

    You can get an idea of the name by searching the /var/log/messages for the dnsmasq-dhcp process, so something like:
    grep 'dnsmasq-dhcp.*70:4d:7b:6f:2b:60' /var/log/messages


    Or you could annoy the users and just block all forwarding on those MAC addresses and assume you'll soon get a support call from the disgruntled users!

    Another approach is to ping the IP and disconnect LAN segments at your various switches until it breaks the ping. This will narrow down the location.
    The reply is currently minimized Show
  • Accepted Answer

    Alexander
    Alexander
    Offline
    Wednesday, July 10 2019, 10:34 AM - #Permalink
    Resolved
    0 votes
    There are 3 computers in my LAN, which have Windows virus that attacks other computers on port 445 in my LAN (network attack). I do not know where these computers are located, since it wasnṫ given a DHCP name. So I want to block this outgoing traffic on these computers (block Mac).

    P.S. sorry for other post.
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 10 2019, 09:49 AM - #Permalink
    Resolved
    0 votes
    Welcome to ClearOS. As a new user your first couple of posts get moderated so don't appear immediately. I'll delete your other post.

    Firstly, are you sure you want to block 445? That is a samba port, whereas 443 is the https port.

    The OUTPUT chain blocks traffic originating from ClearOS. The FORWARD chain blocks traffic originating from the LAN (unless it is processed on ClearOS so looks like it is originating from ClearOS). I suspect you need to block the FORWARD chain.

    Please also use "$IPTABLES" and not "iptables" in the custom rules. If you don't want to do that, then you must use the -w switch as well, so "iptables -w".
    The reply is currently minimized Show
Your Reply