1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to log MAC address of computer trying to access blocked IP?

Discussion in 'Tomato Firmware' started by Dataa, May 30, 2014.

  1. Dataa

    Dataa Network Newbie Member

    I would like to log the Mac address of the computer trying to access a certain IP address, so I can block that mac address at a later time.

    Admin-Script-Firewall
    iptables -I FORWARD -d <exteranal ip address to be blocked> -j REJECT
    iptables -I FORWARD -d <exteranal ip address to be blocked> -j LOG

    The log only contains the internal ip address of the culprit. I would like the log to also contain the MAC address, so it is easier to identify the device.

    example of the log
    May 30 15:29:31
    unknown user.warn kernel:
    IN=br0
    OUT=vlan1
    SRC=<internal ip of the culprit>
    DST=<exteranal ip address to be blocked>
    LEN=48
    TOS=0x00
    PREC=0x00
    TTL=127
    ID=2384
    DF
    PROTO=TCP
    SPT=50872
    DPT=80
    WINDOW=8192
    RES=0x00
    SYN URGP=0

    p.s. I know that is can find out the MAC of the device by using the ip address. However the ip is dynamic, and this network is free unsecured wifi. Many devices connect to this network and it is possible that another device may get assigned the same ip later on. That is why I want to log the Mac of the device at the time it tries to access the blocked ip address.
    _________________________________________________________
    Device I am using to experiment: WRT54gl
    Running Tomato by Shibby: 1.28.0005 112 ND VPN
     
  2. koitsu

    koitsu Network Guru Member

    You need to use the -m mac argument (to enable the netfilter mac module, which allows for MAC-based matching), and then use the --mac-source aa:bb:cc:dd:ee:ff flag to match the MAC address. This will work regardless of what IP address the client has.

    What chain (INPUT/OUTPUT/FORWARD) and table (nat vs. filter) this goes into is somewhat of a separate topic and to be completely honest I can't remember -- I think it goes into FORWARD but I'm not 100% sure, so I'd wait 'til someone else can answer.
     

Share This Page