[CentOS] iptables rule (MAC filtering)

Mon Jun 25 20:24:37 UTC 2007
Jordi Espasa Clofent <sistemes.llistes at intergrid.cat>

> 127.x is always private to each host, so it is confusing. I just assumed
> it was one address that just came to your mind.
>   
Ok. It's a typo: I wanted to write 172.26.0.0/24 :P

> MAC addresses are easy too, only less known.
>   

Yes, of course. Almost for advanced users or sysadmins. But in this case 
the LAN clients are Win machines with "normal" users. I think they don't 
know even what's a MAC address.

> Two of these for each of the two hosts? That's what I don't understand.
>
> Let's suppose you have host A, B, C, D, E, and want only A and B to have
> access to the web. So, the rules would look like:
>
> 1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
>  mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80
> 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
>  mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
>
> Ditto for -A OUTPUT.
>
> So, what happens when C, D or E send a packet? They don't match any mac
> address, so they will be DNAT'ed to 192.168.1.1.
>
> What about A? It doesn't match rule 1, but it matches rule 2, so it will
> be DNAT'ed also.
>
> And host B? It matches rule 1, so it is DNAT'ed.
>
> Thus the use of chains, to send each host to the proper chain and there
> do the work (dnat or don't dnat).

Now I see it! You have all the reason: I've missunderstood the process, 
so the use of chain will be the correct strategy.

;)