[CentOS] iptables rule (MAC filtering)

Jordi Espasa Clofent sistemes.llistes at intergrid.cat
Mon Jun 25 20:24:37 UTC 2007

> 127.x is always private to each host, so it is confusing. I just assumed
> it was one address that just came to your mind.
Ok. It's a typo: I wanted to write :P

> MAC addresses are easy too, only less known.

Yes, of course. Almost for advanced users or sysadmins. But in this case 
the LAN clients are Win machines with "normal" users. I think they don't 
know even what's a MAC address.

> Two of these for each of the two hosts? That's what I don't understand.
> Let's suppose you have host A, B, C, D, E, and want only A and B to have
> access to the web. So, the rules would look like:
> 1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
>  mac(host A) --dport 80 -j DNAT --to-destination
> 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
>  mac(host B) --dport 80 -j DNAT --to-destination
> Ditto for -A OUTPUT.
> So, what happens when C, D or E send a packet? They don't match any mac
> address, so they will be DNAT'ed to
> What about A? It doesn't match rule 1, but it matches rule 2, so it will
> be DNAT'ed also.
> And host B? It matches rule 1, so it is DNAT'ed.
> Thus the use of chains, to send each host to the proper chain and there
> do the work (dnat or don't dnat).

Now I see it! You have all the reason: I've missunderstood the process, 
so the use of chain will be the correct strategy.


More information about the CentOS mailing list