[CentOS] iptables rule (MAC filtering)

Jordi Espasa Clofent sistemes.llistes at intergrid.cat
Mon Jun 25 19:46:22 UTC 2007

>                      ^^^^^^^^^ this is a very bad example

It's understandable example; so, it's enough.

> Why MAC and not IP addresses?

IP addresses are very easy to change. The idea is only a two concrete 
boxes with a concrete ubication can surfer the web freely.

> Yes, but ORing the two, all clients should have gone to the local http
> service.
> The best thing, in this case, is to use chains:
> iptables -t nat -N twoboxen
> iptables -t nat -N others
> iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen
> iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen
> iptables -t nat -A PREROUTING -j others
> iptables -t nat -A twoboxen -j ACCEPT
> iptables -t nat -A others -p tcp --dport 80 -j REDIRECT

I think this is a "large" solution. Two iptables code lines should be 
enough. I've modified the lines:

iptables -t nat -A OUTOUT -p tcp -i eth1  -m mac --mac-source ! 
xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination

Of course, thank you for your help and comments Luciano. ;)

More information about the CentOS mailing list