[CentOS] iptables rule (MAC filtering)

Mon Jun 25 20:06:15 UTC 2007
Luciano Rocha <strange at nsk.no-ip.org>

On Mon, Jun 25, 2007 at 09:46:22PM +0200, Jordi Espasa Clofent wrote:
> 
> >                      ^^^^^^^^^ this is a very bad example
> >   
> 
>  It's understandable example; so, it's enough.

127.x is always private to each host, so it is confusing. I just assumed
it was one address that just came to your mind.

> 
> > Why MAC and not IP addresses?
> >   
> 
>  IP addresses are very easy to change. The idea is only a two concrete boxes 
>  with a concrete ubication can surfer the web freely.

MAC addresses are easy too, only less known.

> 
> > Yes, but ORing the two, all clients should have gone to the local http
> > service.
> >
> > The best thing, in this case, is to use chains:
> >
> > iptables -t nat -N twoboxen
> > iptables -t nat -N others
> >
> > iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen
> > iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen
> > iptables -t nat -A PREROUTING -j others
> >
> > iptables -t nat -A twoboxen -j ACCEPT
> > iptables -t nat -A others -p tcp --dport 80 -j REDIRECT
> 
>  I think this is a "large" solution. Two iptables code lines should be 
>  enough. I've modified the lines:
> 
>  iptables -t nat -A OUTOUT -p tcp -i eth1  -m mac --mac-source ! 
>  xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
>  iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
>  xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80

Two of these for each of the two hosts? That's what I don't understand.

Let's suppose you have host A, B, C, D, E, and want only A and B to have
access to the web. So, the rules would look like:

1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
 mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80
2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! 
 mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80

Ditto for -A OUTPUT.

So, what happens when C, D or E send a packet? They don't match any mac
address, so they will be DNAT'ed to 192.168.1.1.

What about A? It doesn't match rule 1, but it matches rule 2, so it will
be DNAT'ed also.

And host B? It matches rule 1, so it is DNAT'ed.

Thus the use of chains, to send each host to the proper chain and there
do the work (dnat or don't dnat).

>  Of course, thank you for your help and comments Luciano. ;)

Not at all. :)

-- 
lfr
0/0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20070625/0be7e209/attachment-0005.sig>