[CentOS] iptables rule (MAC filtering)

Mon Jun 25 16:20:04 UTC 2007
Jordi Espasa Clofent <sistemes.llistes at intergrid.cat>

Hi all,

I've a CentOS box which as two NIC; this box is also a router for LAN 
subnet:

 ------------------------------------
| eth0 (external) 172.0.0.1    |
| eth1 (internal) 192.168.1.1 |
 ------------------------------------
           |
    LAN clients (192.168.1.2+)

I want to allow http acces only for two LAN boxes; an only http access, 
which means that others protocols as smtp, pop3, imap and so on will be 
permited. The rest of LAN boxes will be redirected to a local http 
service (192.168.1.1:80)

I think the best way is creating a iptables rules based on MAC address. 
So, the rules I've made are:

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac 
--mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 
192.168.1.1:80

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac 
--mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 
192.168.1.1:80

Please, note the exclamation symbol, which means a logical negation.

But it seems doesn't work correctly: all the LAN clients can suffer the web.

¿?¿?¿