[CentOS] iptables rule (MAC filtering)
Jordi Espasa Clofent
sistemes.llistes at intergrid.cat
Mon Jun 25 20:24:37 UTC 2007
> 127.x is always private to each host, so it is confusing. I just assumed
> it was one address that just came to your mind.
Ok. It's a typo: I wanted to write 172.26.0.0/24 :P
> MAC addresses are easy too, only less known.
Yes, of course. Almost for advanced users or sysadmins. But in this case
the LAN clients are Win machines with "normal" users. I think they don't
know even what's a MAC address.
> Two of these for each of the two hosts? That's what I don't understand.
> Let's suppose you have host A, B, C, D, E, and want only A and B to have
> access to the web. So, the rules would look like:
> 1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
> mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80
> 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
> mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
> Ditto for -A OUTPUT.
> So, what happens when C, D or E send a packet? They don't match any mac
> address, so they will be DNAT'ed to 192.168.1.1.
> What about A? It doesn't match rule 1, but it matches rule 2, so it will
> be DNAT'ed also.
> And host B? It matches rule 1, so it is DNAT'ed.
> Thus the use of chains, to send each host to the proper chain and there
> do the work (dnat or don't dnat).
Now I see it! You have all the reason: I've missunderstood the process,
so the use of chain will be the correct strategy.
More information about the CentOS