From: Eric Leblond <eric@inl.fr>
To: "jgalvez@webpipe.net" <jgalvez@webpipe.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: A secure router, by MAC address
Date: Wed, 20 Oct 2004 21:12:42 +0200 [thread overview]
Message-ID: <1098299562.8628.48.camel@porky> (raw)
In-Reply-To: <1098297965.5686.9.camel@6-allhosts>
[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]
Hi,
It really looks like you want to distinguish between well know users and
a set of mobile users.
NuFW (http://www.nufw.org) is done to distinguish between users because
it's an authentication firewall. It authenticates connection in a secure
manner, so you're sure of the identity of users that you let go accross
your firewall.
You can easily manage to build a solution comparable to the one you
describe below with NuFW. With more flexibility and more security.
On Wed, 2004-10-20 at 12:46 -0600, jgalvez@webpipe.net wrote:
> I am trying to setup a router, that forwards traffic from one interface
> for only a specific set of MAC addresses.
>
> Users on eth1 side will use a static IP address with a known MAC
> address. DHCP will be running on eth1 for rogue users. If the source IP
> is 10.0.0.0/8 all port 80 traffic needs to be redirected to localhost
> port 80. ONLY traffic from a listed IP and MAC should be allowed to be
> forwarded out.
>
> I need some recommendation on how to accomplish this. If you could
> point me to a similar example or something I can figure it out . The
> more specific the better. I have a few of my notes and attempts below.
>
> TIA
> -Josh
>
> eth0:
> -Allow all traffic, in and out
> eth1:
> -Allow all DHCP traffic - something like below
> #iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 \
> -j ACCEPT
> -Allow all incoming traffic by source IP and MAC address
> #iptables -A PREROUTING -i eth1 -t mangle -m mac \
> --source 208.5.x.242 --mac-source 00:30:65:0e:91:d6 -j ACCEPT
> -Redirect all port 80 traffic from 10.0.0.0/8 to localhost:80
> -Drop all other incoming traffic
> #iptables -A PREROUTING -i eth1 -t mangle -j DROP
BR,
--
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-10-20 19:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-20 18:46 A secure router, by MAC address jgalvez
2004-10-20 19:12 ` Eric Leblond [this message]
2004-10-20 19:28 ` jgalvez
2004-10-20 20:23 ` Eric Leblond
2004-10-20 20:39 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1098299562.8628.48.camel@porky \
--to=eric@inl.fr \
--cc=jgalvez@webpipe.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox