Mark packets with iptables by destination mac address

networking iptables nat traffic-shaping
11,073

The trick is to combine iptables --mac-source with CONNMARK:

  • First use --mac-source to match packets coming from the mac address you're interested in. It's the wrong direction since you're interested in packets going to this mac address, but now you can
  • use CONNMARK to mark the whole connection, ie both directions (!) and
  • set the mark from the connection mark with --restore-mark 


# lan interface
if_lan=eth0

# create 'mark_mac' table for marking connections:
iptables -t mangle -N mark_mac
iptables -t mangle -A mark_mac -j MARK --set-mark 1234
iptables -t mangle -A mark_mac -j CONNMARK --save-mark

# mark connections involving mac address:
iptables -t mangle -A PREROUTING -i $if_lan -m state --state NEW -m mac --mac-source 9c:4e:36:aa:bb:cc -j mark_mac

# mark packets going to mac:
iptables -t mangle -A POSTROUTING -o $if_lan -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark


Initially i thought this would only work for tcp connections originating from the lan, but given the definition of --state NEW it should work in both directions for both tcp and udp (!)

See also Policy Routing on Linux based on Sender MAC Address which was the inspiration for this answer.

Share:
11,073

Related videos on Youtube

Serhii Matrunchyk
Author by

Serhii Matrunchyk

Updated on September 18, 2022

Comments

  • Serhii Matrunchyk
    Serhii Matrunchyk over 1 year

    I need to mark packets which goes to a specified mac address.

    I need this to use in shaper with tc.

    --mac-destination doesn't exist in iptables.

    Also I tried to use ebtables:

    ebtables -t nat -A POSTROUTING -d 9c:4e:36:aa:bb:cc -j mark --set-mark 0x2003 --mark-target ACCEPT

    but it doesn't mark anything (at least ebtables -t nat -L --Lc shows me 0 counters)

    Please help! Thank you so much!

  • Serhii Matrunchyk
    Serhii Matrunchyk over 8 years
    Thank you. I used ebtables -t nat -A PREROUTING -p arp --arp-mac-dst bc:5f:f4:aa:bb:cc -j mark --mark-set 0x2003 and ebtables -t nat -L --Lv shows no matches..
  • lemonsqueeze
    lemonsqueeze almost 7 years
    This answer is misleading: wifi networks do have mac addresses and iptables --mac-source works fine with them. The man page should probably read "... coming from an ethernet/wifi device"

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

NAT using iptables on Ubuntu 16.04 doesn't work
What's the difference between PREROUTING and FORWARD in iptables?
Using iptables SNAT based on source interface and ip address
Randomize external port when doing NAT with iptables
How can I do DNAT and SNAT on Windows 7?
iptables NAT & virtual machine networking
KVM Guest with NAT + Bridged networking
Linux - two subnets, one interface, one gateway - NAT the additional subnet
Routing application traffic through specific interface
How to set mark on packet when forwarding it in nat prerouting table?