Re: [LARTC] masquerade and mac problem

[Ilia Lindov <lists@infomat-bg.com>]

Hi,

I recommend you to use the following script:
------------------------------------------------
#!/bin/sh

# Deleting all existing rules in all chains
# and theleting user created chains
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -X
iptables -t filter -X
iptables -t mangle -X

# Setting the default policy to DROP, so those packets which are not
# ACCEPT-ed are dropped at the end
iptables -P FORWARD DROP

# Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allowing outgoing packets from specific users with correct mac
# addresses.
# Add same line for each client with proper ip and mac addresses
iptables -A FORWARD -s 192.168.10.2 -m mac --mac-source\ 
00:11:22:33:44:55 -j ACCEPT

# Allowing all incomming packets which belongs to a clients
# connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-----------------------------------------------------------------------

You should consider the INPUT and OUTPUT chains on your router, and to 
set them proper rules regarding your needs.
Also you'll need connection tracking support from the kernel.
The 'ip_conntrack' and similar modules will be useful if you don't have 
connection tracking support compilled into the kernel itself.

I hope this will help!!!

Regards: Ilia Lindov

Sorin Capra wrote:
> Hello guys
>  
>    I don't know if this thing has been posted before (if it was , please 
> forgive me).
> I have 7 computers at home and I want all of them to have access to the 
> internet. In order to do that , I set up a linux router (2 network 
> cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; 
> eth1 : 192.168.10.1 - local network) . The other computers have ips 
> ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades 
> the other computers. The problem I have is that I want to do the 
> masquerading based on mac AND the ip not only on the ip (so if I change 
> the ip on a computer and use another ip from another computer which is 
> down , the masquerading process shouldn't work)
>    What I came up with is this :
>  
> -------------------------
> #!/bin/sh
> ipt="/usr/sbin/iptables"
>  
> $ipt -F
> $ipt -F -t nat
>  
> $ipt -t filter -N computer1 >/dev/null 2>&1
> $ipt -t filter -N computer2 >/dev/null 2>&1
> $ipt -t filter -N computer3 >/dev/null 2>&1
> $ipt -t filter -N computer4 >/dev/null 2>&1
> $ipt -t filter -N computer5 >/dev/null 2>&1
> $ipt -A FORWARD -s 192.168.10.2 -j computer1
> $ipt -A FORWARD -s 192.168.10.3 -j computer2
> $ipt -A FORWARD -s 192.168.10.4 -j computer3
> $ipt -A FORWARD -s 192.168.10.5 -j computer4
> $ipt -A FORWARD -s 192.168.10.6 -j computer5
> $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT
> $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT
> $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT
> $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT
> $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT
>  
> $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE
> 
> #$ipt -P FORWARD DROP
> --------------------
>  
>   If I uncomment the last line ("#$ipt -P FORWARD DROP") the router 
> won't forward any packets. What am I doing wrong ? 
>  
>                                                                                   Thank 
> you in advance,
>                                                                                              
> Sorin
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/