From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: "netfilter@vger.kernel.org >> netfilter ML" <netfilter@vger.kernel.org>
Subject: Re: how to do a MAC-based filtering for NAT
Date: Sun, 09 Dec 2007 19:33:04 -0200 [thread overview]
Message-ID: <475C5F10.6010601@solutti.com.br> (raw)
In-Reply-To: <9a9df61d0712090618ha74fa7dte9b89c8d8177408f@mail.gmail.com>
Deephay escreveu:
> On Dec 9, 2007 7:31 PM, Leonardo Rodrigues Magalhães
> <leolistas@solutti.com.br> wrote:
>
>> Yes it works if you have the correct rules.
>>
>> Are these 2 FORWARD rules your only rules ????? If no, please post
>> your full ruleset.
>>
>> If yes ..... i can clearly see 2 problems.
>>
>> You have not told us about your scenario, but i'll suppose you have
>> the simple scenario of a linux box with 2 NICs, forwarding packets
>> between NICs. The --mac-source rule you made WILL work. But you're
>> clearly missing some rule that allow packets to came back, the replies.
>> You're allowing the packet to go out, but not allowing replies to get
>> back. So, 'it will not work'. Based on your scenario, you certainly need
>> some rules to allow the return traffic.
>>
>> And if these are your only 2 rules, then you're simply forwarding,
>> there's no NAT rule here. Packets will be forwarded but the original ip
>> address will be kept, that means, no Network Address Translation (NAT)
>> will occur. You would need some '-t nat -A POSTROUTING' rule for doing
>> the Source NAT.
>>
>
> Hi, I am using one NIC with PPPoE and
>
>
OK ... the tipical 2 interfaces situation. One real NIC interface
and other logical PPPoE interface. Probably eth0 and ppp0, is that right ???
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> as the NAT rules.
>
>
OK ... so you have the NAT rule.
> Is there a solution in this kind of situation? thanks for the help!
>
Yes .... supposing eth0 is your internal NIC and ppp0 is your
external interface, simply having a rule
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
would be enough for allowing all the 'reply' packets to came back
and thus allowing your traffic base on MAC source to work.
Please try that.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
next prev parent reply other threads:[~2007-12-09 21:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-09 5:11 how to do a MAC-based filtering for NAT Deephay
2007-12-09 11:31 ` Leonardo Rodrigues Magalhães
2007-12-09 14:18 ` Deephay
2007-12-09 21:33 ` Leonardo Rodrigues Magalhães [this message]
[not found] ` <475C5149.8070404@solutti.com.br>
2007-12-10 1:53 ` Deephay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=475C5F10.6010601@solutti.com.br \
--to=leolistas@solutti.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.