127.x is always private to each host, so it is confusing. I just assumed it was one address that just came to your mind.
Ok. It's a typo: I wanted to write 172.26.0.0/24 :P
MAC addresses are easy too, only less known.
Yes, of course. Almost for advanced users or sysadmins. But in this case the LAN clients are Win machines with "normal" users. I think they don't know even what's a MAC address.
Two of these for each of the two hosts? That's what I don't understand.
Let's suppose you have host A, B, C, D, E, and want only A and B to have access to the web. So, the rules would look like:
- iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
Ditto for -A OUTPUT.
So, what happens when C, D or E send a packet? They don't match any mac address, so they will be DNAT'ed to 192.168.1.1.
What about A? It doesn't match rule 1, but it matches rule 2, so it will be DNAT'ed also.
And host B? It matches rule 1, so it is DNAT'ed.
Thus the use of chains, to send each host to the proper chain and there do the work (dnat or don't dnat).
Now I see it! You have all the reason: I've missunderstood the process, so the use of chain will be the correct strategy.
;)