Issue
Custom firewall Issue
Hi.
I want to block outgoing traffic by 445 port for MAC address. Can i get a help?
This rule don't works. I don't know why.
iptables -A OUTPUT -p tcp --destination-port 445 -m mac --mac-source 70:4d:7b:6f:2b:60 -j DROP
I want to block outgoing traffic by 445 port for MAC address. Can i get a help?
This rule don't works. I don't know why.
iptables -A OUTPUT -p tcp --destination-port 445 -m mac --mac-source 70:4d:7b:6f:2b:60 -j DROP
In Firewall
Share this post:
Responses (8)
-
Accepted Answer
If you know the MAC address but not the IP, why not use
arp -a
That'll give you all the MAC/IP pairings on the network
(that's assuming of course that the machine does have a valid IP address)
Alternatively, if you've switches with IP addresses in the way, tracert would give you the route to the target machine .. that might help you to track down it's location -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
You can't reboot the connection remotely. If you block both the INPUT and FORWARD chain (please use $IPTABLES and not iptables), then you will restrict his working more and he may contact you sooner. You can't stop his DCHP lease until it expires and, if he has a static IP, he will never need to renew his lease.
Thanks for advice, but $IPTABLES is not working. Command is not permitted. -
Accepted Answer
You can't reboot the connection remotely. If you block both the INPUT and FORWARD chain (please use $IPTABLES and not iptables), then you will restrict his working more and he may contact you sooner. You can't stop his DCHP lease until it expires and, if he has a static IP, he will never need to renew his lease. -
Accepted Answer
I have 1 idea.
Can i block all traffic of MAC address? Yes, i can.
iptables -I INPUT -m mac --mac-source MAC -j REJECT
This rule works fine, but i need to reboot network connection on that PC. DHCP don't give lease ip to this computer and user of that computer will ask me to help cuz he will not have internet connection = we found this computer.
But idk how can i reboot network connection remotely. Maybe i could wait until the lease IP time is over.... -
Accepted Answer
I'm afraid that won't help. If everything is on the same LAN segment, traffic does not pass through the firewall. Your switch will handle it directly. All your block will do is stop the traffic going onto the internet and most sysadmins will not allow incoming tcp:445 traffic from the internet.
You can get an idea of the name by searching the /var/log/messages for the dnsmasq-dhcp process, so something like:grep 'dnsmasq-dhcp.*70:4d:7b:6f:2b:60' /var/log/messages
Or you could annoy the users and just block all forwarding on those MAC addresses and assume you'll soon get a support call from the disgruntled users!
Another approach is to ping the IP and disconnect LAN segments at your various switches until it breaks the ping. This will narrow down the location. -
Accepted Answer
There are 3 computers in my LAN, which have Windows virus that attacks other computers on port 445 in my LAN (network attack). I do not know where these computers are located, since it wasnṫ given a DHCP name. So I want to block this outgoing traffic on these computers (block Mac).
P.S. sorry for other post. -
Accepted Answer
Welcome to ClearOS. As a new user your first couple of posts get moderated so don't appear immediately. I'll delete your other post.
Firstly, are you sure you want to block 445? That is a samba port, whereas 443 is the https port.
The OUTPUT chain blocks traffic originating from ClearOS. The FORWARD chain blocks traffic originating from the LAN (unless it is processed on ClearOS so looks like it is originating from ClearOS). I suspect you need to block the FORWARD chain.
Please also use "$IPTABLES" and not "iptables" in the custom rules. If you don't want to do that, then you must use the -w switch as well, so "iptables -w".
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »