* how to do a MAC-based filtering for NAT @ 2007-12-09 5:11 Deephay 2007-12-09 11:31 ` Leonardo Rodrigues Magalhães 0 siblings, 1 reply; 5+ messages in thread From: Deephay @ 2007-12-09 5:11 UTC (permalink / raw) To: netfilter Greetings all, I am wondering how to do a MAC-based filtering for a NAT: iptables -P FORWARD DROP iptables -A FORWARD -m mac --mac-source xxxxxxxx -j ACCEPT the above things will not work, is there a way to achieve this? thanks! Cheers, Deephay ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how to do a MAC-based filtering for NAT 2007-12-09 5:11 how to do a MAC-based filtering for NAT Deephay @ 2007-12-09 11:31 ` Leonardo Rodrigues Magalhães 2007-12-09 14:18 ` Deephay 0 siblings, 1 reply; 5+ messages in thread From: Leonardo Rodrigues Magalhães @ 2007-12-09 11:31 UTC (permalink / raw) To: Deephay; +Cc: netfilter Yes it works if you have the correct rules. Are these 2 FORWARD rules your only rules ????? If no, please post your full ruleset. If yes ..... i can clearly see 2 problems. You have not told us about your scenario, but i'll suppose you have the simple scenario of a linux box with 2 NICs, forwarding packets between NICs. The --mac-source rule you made WILL work. But you're clearly missing some rule that allow packets to came back, the replies. You're allowing the packet to go out, but not allowing replies to get back. So, 'it will not work'. Based on your scenario, you certainly need some rules to allow the return traffic. And if these are your only 2 rules, then you're simply forwarding, there's no NAT rule here. Packets will be forwarded but the original ip address will be kept, that means, no Network Address Translation (NAT) will occur. You would need some '-t nat -A POSTROUTING' rule for doing the Source NAT. Deephay escreveu: > Greetings all, > > I am wondering how to do a MAC-based filtering for a NAT: > > iptables -P FORWARD DROP > iptables -A FORWARD -m mac --mac-source xxxxxxxx -j ACCEPT > > the above things will not work, is there a way to achieve this? thanks! > > -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how to do a MAC-based filtering for NAT 2007-12-09 11:31 ` Leonardo Rodrigues Magalhães @ 2007-12-09 14:18 ` Deephay 2007-12-09 21:33 ` Leonardo Rodrigues Magalhães [not found] ` <475C5149.8070404@solutti.com.br> 0 siblings, 2 replies; 5+ messages in thread From: Deephay @ 2007-12-09 14:18 UTC (permalink / raw) To: Leonardo Rodrigues Magalhães; +Cc: netfilter On Dec 9, 2007 7:31 PM, Leonardo Rodrigues Magalhães <leolistas@solutti.com.br> wrote: > > Yes it works if you have the correct rules. > > Are these 2 FORWARD rules your only rules ????? If no, please post > your full ruleset. > > If yes ..... i can clearly see 2 problems. > > You have not told us about your scenario, but i'll suppose you have > the simple scenario of a linux box with 2 NICs, forwarding packets > between NICs. The --mac-source rule you made WILL work. But you're > clearly missing some rule that allow packets to came back, the replies. > You're allowing the packet to go out, but not allowing replies to get > back. So, 'it will not work'. Based on your scenario, you certainly need > some rules to allow the return traffic. > > And if these are your only 2 rules, then you're simply forwarding, > there's no NAT rule here. Packets will be forwarded but the original ip > address will be kept, that means, no Network Address Translation (NAT) > will occur. You would need some '-t nat -A POSTROUTING' rule for doing > the Source NAT. Hi, I am using one NIC with PPPoE and iptables -t nat -A POSTROUTING -j MASQUERADE as the NAT rules. Is there a solution in this kind of situation? thanks for the help! > > > Deephay escreveu: > > > Greetings all, > > > > I am wondering how to do a MAC-based filtering for a NAT: > > > > iptables -P FORWARD DROP > > iptables -A FORWARD -m mac --mac-source xxxxxxxx -j ACCEPT > > > > the above things will not work, is there a way to achieve this? thanks! > > > > > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > http://www.solutti.com.br > > Minha armadilha de SPAM, NÃO mandem email > gertrudes@solutti.com.br > My SPAMTRAP, do not email it > > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: how to do a MAC-based filtering for NAT 2007-12-09 14:18 ` Deephay @ 2007-12-09 21:33 ` Leonardo Rodrigues Magalhães [not found] ` <475C5149.8070404@solutti.com.br> 1 sibling, 0 replies; 5+ messages in thread From: Leonardo Rodrigues Magalhães @ 2007-12-09 21:33 UTC (permalink / raw) To: netfilter@vger.kernel.org >> netfilter ML Deephay escreveu: > On Dec 9, 2007 7:31 PM, Leonardo Rodrigues Magalhães > <leolistas@solutti.com.br> wrote: > >> Yes it works if you have the correct rules. >> >> Are these 2 FORWARD rules your only rules ????? If no, please post >> your full ruleset. >> >> If yes ..... i can clearly see 2 problems. >> >> You have not told us about your scenario, but i'll suppose you have >> the simple scenario of a linux box with 2 NICs, forwarding packets >> between NICs. The --mac-source rule you made WILL work. But you're >> clearly missing some rule that allow packets to came back, the replies. >> You're allowing the packet to go out, but not allowing replies to get >> back. So, 'it will not work'. Based on your scenario, you certainly need >> some rules to allow the return traffic. >> >> And if these are your only 2 rules, then you're simply forwarding, >> there's no NAT rule here. Packets will be forwarded but the original ip >> address will be kept, that means, no Network Address Translation (NAT) >> will occur. You would need some '-t nat -A POSTROUTING' rule for doing >> the Source NAT. >> > > Hi, I am using one NIC with PPPoE and > > OK ... the tipical 2 interfaces situation. One real NIC interface and other logical PPPoE interface. Probably eth0 and ppp0, is that right ??? > iptables -t nat -A POSTROUTING -j MASQUERADE > > as the NAT rules. > > OK ... so you have the NAT rule. > Is there a solution in this kind of situation? thanks for the help! > Yes .... supposing eth0 is your internal NIC and ppp0 is your external interface, simply having a rule iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT would be enough for allowing all the 'reply' packets to came back and thus allowing your traffic base on MAC source to work. Please try that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <475C5149.8070404@solutti.com.br>]
* Re: how to do a MAC-based filtering for NAT [not found] ` <475C5149.8070404@solutti.com.br> @ 2007-12-10 1:53 ` Deephay 0 siblings, 0 replies; 5+ messages in thread From: Deephay @ 2007-12-10 1:53 UTC (permalink / raw) To: Leonardo Rodrigues Magalhães; +Cc: netfilter On Dec 10, 2007 4:34 AM, Leonardo Rodrigues Magalhães <leolistas@solutti.com.br> wrote: > > > > Deephay escreveu: > On Dec 9, 2007 7:31 PM, Leonardo Rodrigues Magalhães > <leolistas@solutti.com.br> wrote: > > > Yes it works if you have the correct rules. > > Are these 2 FORWARD rules your only rules ????? If no, please post > your full ruleset. > > If yes ..... i can clearly see 2 problems. > > You have not told us about your scenario, but i'll suppose you have > the simple scenario of a linux box with 2 NICs, forwarding packets > between NICs. The --mac-source rule you made WILL work. But you're > clearly missing some rule that allow packets to came back, the replies. > You're allowing the packet to go out, but not allowing replies to get > back. So, 'it will not work'. Based on your scenario, you certainly need > some rules to allow the return traffic. > > And if these are your only 2 rules, then you're simply forwarding, > there's no NAT rule here. Packets will be forwarded but the original ip > address will be kept, that means, no Network Address Translation (NAT) > will occur. You would need some '-t nat -A POSTROUTING' rule for doing > the Source NAT. > > Hi, I am using one NIC with PPPoE and > > > OK ... the tipical 2 interfaces situation. One real NIC interface and > other logical PPPoE interface. Probably eth0 and ppp0, is that right ??? > > > iptables -t nat -A POSTROUTING -j MASQUERADE > > as the NAT rules. > > > OK ... so you have the NAT rule. > > > Is there a solution in this kind of situation? thanks for the help! > > Yes .... supposing eth0 is your internal NIC and ppp0 is your external > interface, simply having a rule > > iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT > > would be enough for allowing all the 'reply' packets to came back and > thus allowing your traffic base on MAC source to work. > > Please try that. OK, got it, thanks very much for the help! Cheers, Deephay > > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > > http://www.solutti.com.br > > Minha armadilha de SPAM, NÃO mandem email > gertrudes@solutti.com.br > My SPAMTRAP, do not email it > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-12-10 1:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-09 5:11 how to do a MAC-based filtering for NAT Deephay
2007-12-09 11:31 ` Leonardo Rodrigues Magalhães
2007-12-09 14:18 ` Deephay
2007-12-09 21:33 ` Leonardo Rodrigues Magalhães
[not found] ` <475C5149.8070404@solutti.com.br>
2007-12-10 1:53 ` Deephay
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.