* allowing connection
@ 2004-09-10 18:18 Payal Rathod
2004-09-10 20:11 ` Deepak Seshadri
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Payal Rathod @ 2004-09-10 18:18 UTC (permalink / raw)
To: Netfilter ML
Hi,
Right now I am allowing only my client's LAN access one of my
design's machine from the internet. Their LAN is a simple network,
with a single IP and other machines are masqueraded. Now I want to allow
only one of their machine to access my machine. Can I do it? I mean
the machine is on 192.168.1.x series of IP, but can I restrict it
on mac address basis? If yes, how do I do it?
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: allowing connection
2004-09-10 18:18 allowing connection Payal Rathod
@ 2004-09-10 20:11 ` Deepak Seshadri
2004-09-10 20:24 ` Jason Opperisano
2004-09-11 4:07 ` Joel n.solanki
2 siblings, 0 replies; 4+ messages in thread
From: Deepak Seshadri @ 2004-09-10 20:11 UTC (permalink / raw)
To: 'Payal Rathod', 'Netfilter ML'
Hi Payal,
You can use the MAC match to restrict access.
Something like this:
iptables -t mangle -A PREROUTING -s (Masqueraded_IP) -m mac --mac-source
(MAC_ADDR_MACHINE) -j ACCEPT
Please follow the link below and read 6.4.3.2 for further understanding:
http://iptables-tutorial.frozentux.net/chunkyhtml/matches.html#GENERICMATCHE
S
Hope this helps!
Regards,
Deepak Seshadri
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Payal Rathod
Sent: Friday, September 10, 2004 2:18 PM
To: Netfilter ML
Subject: allowing connection
Hi,
Right now I am allowing only my client's LAN access one of my
design's machine from the internet. Their LAN is a simple network,
with a single IP and other machines are masqueraded. Now I want to allow
only one of their machine to access my machine. Can I do it? I mean
the machine is on 192.168.1.x series of IP, but can I restrict it
on mac address basis? If yes, how do I do it?
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: allowing connection
2004-09-10 18:18 allowing connection Payal Rathod
2004-09-10 20:11 ` Deepak Seshadri
@ 2004-09-10 20:24 ` Jason Opperisano
2004-09-11 4:07 ` Joel n.solanki
2 siblings, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2004-09-10 20:24 UTC (permalink / raw)
To: netfilter
On Fri, 2004-09-10 at 14:18, Payal Rathod wrote:
> Hi,
> Right now I am allowing only my client's LAN access one of my
> design's machine from the internet. Their LAN is a simple network,
> with a single IP and other machines are masqueraded. Now I want to allow
> only one of their machine to access my machine. Can I do it? I mean
> the machine is on 192.168.1.x series of IP, but can I restrict it
> on mac address basis? If yes, how do I do it?
>
> With warm regards,
> -Payal
so essentially:
+------------+ +----------------+
| CLIENT LAN |--| CLIENT MACHINE |
+------------+ +----------------+
|
+-----------+
| CLIENT FW |
+-----------+
|
|
+----------+
| INTERNET |
+----------+
|
|
+---------+
| YOUR FW |
+---------+
|
+---------+ +----------------+
|YOUR LAN |--| DESIGN MACHINE |
+---------+ +----------------+
Right you allow whatever IP all of "Client LAN" is MASQ'ed behind to
access "Design Machine."
To answer the question, can you filter by MAC address--the answer is
a resounding, "no!" The MAC address of "Client Machine" is stripped
off by "Client FW" never to be seen again by any network device.
The only MAC address that you'll see on the external interface of
"Your FW" is that of your Internet router.
My suggestion: protect the resource in question with a
username/password or certificate or whatever authentication suits you.
Only give the one person who needs access credentials to get in.
Keep the filtering policy as-is.
-j
--
Jason Opperisano <opie@817west.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: allowing connection
2004-09-10 18:18 allowing connection Payal Rathod
2004-09-10 20:11 ` Deepak Seshadri
2004-09-10 20:24 ` Jason Opperisano
@ 2004-09-11 4:07 ` Joel n.solanki
2 siblings, 0 replies; 4+ messages in thread
From: Joel n.solanki @ 2004-09-11 4:07 UTC (permalink / raw)
To: Netfilter ML
If you have 2 lan cards.
eth0 --connected to internet
eth1 --connected to lan
then ..
Make the default policy of FORWARD to DROP
Just FORWARD the client's ip so that it can get internet access.
All other machines will communicated with each other but not with the
internet.
Without mac binding.
iptables -A FORWARD -i eth1 -s 192.168.1.x -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.1.x -j ACCEPT
With mac binding.
iptables -A FORWARD -i eth1 -s 192.168.1.x -m mac --mac-source
00:00:00:00:00:00 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.1.x -m mac --mac-source
00:00:00:00:00:00 -j ACCEPT
Regards,
On Fri, 2004-09-10 at 23:48, Payal Rathod wrote:
> Hi,
> Right now I am allowing only my client's LAN access one of my
> design's machine from the internet. Their LAN is a simple network,
> with a single IP and other machines are masqueraded. Now I want to allow
> only one of their machine to access my machine. Can I do it? I mean
> the machine is on 192.168.1.x series of IP, but can I restrict it
> on mac address basis? If yes, how do I do it?
>
> With warm regards,
> -Payal
--
Joel N.Solanki
Network Administrator
Phone No: 0265-550001/2/3/4/5 Ext: 211/212
Digtial 2 Virtual Internet Service Provider.
http://www.packetraptor.com/
http://www.d2visp.com/
Gujarat (India)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-09-11 4:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-10 18:18 allowing connection Payal Rathod
2004-09-10 20:11 ` Deepak Seshadri
2004-09-10 20:24 ` Jason Opperisano
2004-09-11 4:07 ` Joel n.solanki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox