[CentOS] iptables rule (MAC filtering)

Luciano Rocha strange at nsk.no-ip.org
Mon Jun 25 17:31:35 UTC 2007

On Mon, Jun 25, 2007 at 06:20:04PM +0200, Jordi Espasa Clofent wrote:
>  Hi all,
>  I've a CentOS box which as two NIC; this box is also a router for LAN 
>  subnet:
>  ------------------------------------
>  | eth0 (external)    |
                     ^^^^^^^^^ this is a very bad example
>  | eth1 (internal) |
>  ------------------------------------
>            |
>     LAN clients (
>  I want to allow http acces only for two LAN boxes; an only http access, 
>  which means that others protocols as smtp, pop3, imap and so on will be 
>  permited. The rest of LAN boxes will be redirected to a local http service 
>  (
>  I think the best way is creating a iptables rules based on MAC address.

Why MAC and not IP addresses?

> So, 
>  the rules I've made are:
>  iptables -t nat -A PREROUTING -p tcp -s -m mac --mac-source ! 
>  xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination
>  iptables -t nat -A PREROUTING -p tcp -s -m mac --mac-source ! 
>  xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination
>  Please, note the exclamation symbol, which means a logical negation.

Yes, but ORing the two, all clients should have gone to the local http

The best thing, in this case, is to use chains:

iptables -t nat -N twoboxen
iptables -t nat -N others

iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen
iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen
iptables -t nat -A PREROUTING -j others

iptables -t nat -A twoboxen -j ACCEPT
iptables -t nat -A others -p tcp --dport 80 -j REDIRECT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.centos.org/pipermail/centos/attachments/20070625/650588a4/attachment.bin

More information about the CentOS mailing list