Re: how to do a MAC-based filtering for NAT - Leonardo Rodrigues Magalhães

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: Deephay <tudoxxx@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: how to do a MAC-based filtering for NAT
Date: Sun, 09 Dec 2007 09:31:27 -0200	[thread overview]
Message-ID: <475BD20F.6030206@solutti.com.br> (raw)
In-Reply-To: <9a9df61d0712082111s90a5fa3o4d272b2c1dacc1f1@mail.gmail.com>


    Yes it works if you have the correct rules.

    Are these 2 FORWARD rules your only rules ????? If no, please post 
your full ruleset.

    If yes ..... i can clearly see 2 problems.

    You have not told us about your scenario, but i'll suppose you have 
the simple scenario of a linux box with 2 NICs, forwarding packets 
between NICs. The --mac-source rule you made WILL work. But you're 
clearly missing some rule that allow packets to came back, the replies. 
You're allowing the packet to go out, but not allowing replies to get 
back. So, 'it will not work'. Based on your scenario, you certainly need 
some rules to allow the return traffic.

    And if these are your only 2 rules, then you're simply forwarding, 
there's no NAT rule here. Packets will be forwarded but the original ip 
address will be kept, that means, no Network Address Translation (NAT) 
will occur. You would need some '-t nat -A POSTROUTING' rule for doing 
the Source NAT.


Deephay escreveu:
> Greetings all,
>
> I am wondering how to do a MAC-based filtering for a NAT:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -m mac --mac-source xxxxxxxx -j ACCEPT
>
> the above things will not work, is there a way to achieve this? thanks!
>
>   

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

next prev parent reply	other threads:[~2007-12-09 11:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-12-09  5:11 how to do a MAC-based filtering for NAT Deephay
2007-12-09 11:31 ` Leonardo Rodrigues Magalhães [this message]
2007-12-09 14:18   ` Deephay
2007-12-09 21:33     ` Leonardo Rodrigues Magalhães
     [not found]     ` <475C5149.8070404@solutti.com.br>
2007-12-10  1:53       ` Deephay

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=475BD20F.6030206@solutti.com.br \
    --to=leolistas@solutti.com.br \
    --cc=netfilter@vger.kernel.org \
    --cc=tudoxxx@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.