Hi all,

Well lets get straight to the point.

I use the touchterm app for iPhone to monitor my server while on the road. But for secure reasons i have port 22 open for some ip addresses (work, home, school) which is ok when i am on a wifi connection in these places but i wanted to improve my iptables skills and add a MAC address filter.

So i used the syslog, in which iptables logs, to check what the MAC address of my iPhone was while its on the 3G connection.

Well it logs the most crazy MAC address i have ever seen in my sysadmin lifetime, 00:XX:48:XX:2d:XX:00:XX:23:XX:00:XX:08:XX. The XX's are my doing for secure reasons, go figure :-p

This is only the tip of the iceberg, this MAC is logged for every entry in all my logs. Since i never was intrested in this kind of info i never noticed this but now i really want to know what kind of crazy problem this is. Does anybody have this problem? Why isnt my log as acurate as it should be? What is this wierd kernel thinking?

Running Ubuntu 8.04 Hardy Heron

uname -a
Linux XXXX 2.6.24-23-server #1 SMP Wed Apr 1 22:22:14 UTC 2009 i686 GNU/Linux

iptables -V
iptables v1.3.8

well that's too long for a mac address, which is only 12 hex characters, but the mac address *SHOULD* be the same, as it should be the mac of the upstream router. Remember that mac addresses are only relevant to the local subnet (so why you've "secured" it I've no idea.) not the wider layer 3 world.

Well ok thanks for pointing that out but this still leaves me with the question that iptables is logging incorrect mac addresses and i dont know why...

wrong address? how about you show us some logs and we'll explain them as best we can.

Little piece of log file:

May 22 10:09:21 teletran-04 kernel: [1731231.529678] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=217.162.236.73 DST=217.xxx.33.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=5272 DF PROTO=TCP SPT=4777 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
May 22 10:09:24 teletran-04 kernel: [1731234.383947] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=217.162.236.73 DST=217.xxx.33.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=6396 DF PROTO=TCP SPT=4777 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
May 22 10:11:49 teletran-04 kernel: [1731379.386605] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=110 ID=22136 DF PROTO=TCP SPT=1878 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
May 22 10:11:52 teletran-04 kernel: [1731382.369008] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=110 ID=23208 DF PROTO=TCP SPT=1878 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
May 22 10:11:58 teletran-04 kernel: [1731388.410640] iptables: LDROP IN=eth0 OUT= MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00 SRC=211.137.5.163 DST=217.xxx.33.xxx LEN

You can see that the destination ip addresses are different but the MAC addresses are the same and long.

MAC=00:30:48:25:2d:48:00:04:23:09:00:e6:08:00
is an ethernet mac header
00:30:48:25:2d:48 is the destination, your server
00:04:23:09:00:e6 is the src, the gateway router of you server, intel
08:00 is IPv4

Ok, well thank you, great reply!

But, why is my logfile not showing the MAC address of the machine trying to connect to my server? This should logged right? Or am i missing a iptables syntax?

As I said above, MAC is layer 2 data, so does not persist across a router. A remote devices MAC address is really of no interest to you, and it's impossible to know it from a standard IP packet.