CentOS Question posted in
The official documentation can be found here.

outgoing mac address filter with iptbales – CentOS

I hope someone here can help me out with this as it’s probably a really easy setup.

I am on centos 8 — disabled firewalld and installed iptables-services.

I have one physical interface with a bridge to a a few qemu kvm guests. I want to block all outgoing (incoming is fine) mac addresses except for the ones I specify so that the kvm guests can only access the network if they have their assigned mac address. So that no packets from another mac address will ever go beyond that one physical network interface.

How would I go about doing that?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp35s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge0 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:f9:9b brd ff:ff:ff:ff:ff:ff
3: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:f9:9b brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.xxx/32 scope global noprefixroute bridge0
       valid_lft forever preferred_lft forever
    inet6 X::2/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 X:8fa/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

EDIT:
I already tried:
iptables -A OUTPUT -m mac --mac-source 00:50:56:00:A5:8A -j ACCEPT
but it throws me the following error:
iptables v1.8.4 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    So I was able to figure out that it might be possible with iptables but everything I found regarding that wasn't aplicable to the OUTPUT chain. There is a much simpler way for my case which is just using a nwfilter on the nic in the KVM.xml.

    This is what I added:

      <filterref filter='clean-traffic'>
    <parameter name='IP' value='XXX.XXX.XXX.XXX'/>
  </filterref>

  2. 0

    You can do this for all selected kvms plus your host

    iptables -A OUTPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

    iptables -A OUTPUT -m mac –mac-source yy:yy:yy:yy:yy:yy -j ACCEPT

    Then drop avrything else

    iptables -A OUTPUT -j DROP

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search