> 127.x is always private to each host, so it is confusing. I just assumed > it was one address that just came to your mind. > Ok. It's a typo: I wanted to write 172.26.0.0/24 :P > MAC addresses are easy too, only less known. > Yes, of course. Almost for advanced users or sysadmins. But in this case the LAN clients are Win machines with "normal" users. I think they don't know even what's a MAC address. > Two of these for each of the two hosts? That's what I don't understand. > > Let's suppose you have host A, B, C, D, E, and want only A and B to have > access to the web. So, the rules would look like: > > 1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! > mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80 > 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! > mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80 > > Ditto for -A OUTPUT. > > So, what happens when C, D or E send a packet? They don't match any mac > address, so they will be DNAT'ed to 192.168.1.1. > > What about A? It doesn't match rule 1, but it matches rule 2, so it will > be DNAT'ed also. > > And host B? It matches rule 1, so it is DNAT'ed. > > Thus the use of chains, to send each host to the proper chain and there > do the work (dnat or don't dnat). Now I see it! You have all the reason: I've missunderstood the process, so the use of chain will be the correct strategy. ;)