* IP + MAC filter - doubt
@ 2005-05-05 2:26 varun_saa
2005-05-05 3:43 ` Taylor, Grant
0 siblings, 1 reply; 3+ messages in thread
From: varun_saa @ 2005-05-05 2:26 UTC (permalink / raw)
To: netfilter
Hello,
My server is on Mandriva 10.1
eth0 is WAN with static IP connected to 512K DSL
eth1 is LAN - 192.168.0.0/24 and 192.168.21.0/24
I want to use IP + MAC filtering to allow/deny
clients acces to net as follows.
A FORWARD -i eth1 -o eth0 -s 192.168.0.5 \
-m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
First tell me if above rule correct.
Second I think I need first a rule to
deny all IPs and MACs. Is that correct ?
Howto first deny all IPs and MACs ?
Thanks in advance
Varun
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IP + MAC filter - doubt
2005-05-05 2:26 IP + MAC filter - doubt varun_saa
@ 2005-05-05 3:43 ` Taylor, Grant
2005-05-10 8:38 ` Georgi Alexandrov
0 siblings, 1 reply; 3+ messages in thread
From: Taylor, Grant @ 2005-05-05 3:43 UTC (permalink / raw)
To: netfilter
> A FORWARD -i eth1 -o eth0 -s 192.168.0.5 \
> -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
>
> First tell me if above rule correct.
Yes, that is one way to do it. The ""other way(s) have to do with ACCEPTing vs redirecting to another chain for additional testing.
> Second I think I need first a rule to
> deny all IPs and MACs. Is that correct ?
Yes you will need a rule (or FORWARD policy) to not forward or DROP packets. I would put this at the end of your FORWARD chain (or at least the section that does your MAC to IP pairing) after you have decided what MAC IP pairs to allow through. Explicitly allow what you want to get out and then DROP or REJECT the rest of the chaff.
> Howto first deny all IPs and MACs ?
iptables -t filter -A FORWARD -i eth1 -o eth0 -j DROP
> Thanks in advance
No problem.
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IP + MAC filter - doubt
2005-05-05 3:43 ` Taylor, Grant
@ 2005-05-10 8:38 ` Georgi Alexandrov
0 siblings, 0 replies; 3+ messages in thread
From: Georgi Alexandrov @ 2005-05-10 8:38 UTC (permalink / raw)
To: netfilter
Taylor, Grant wrote:
>> A FORWARD -i eth1 -o eth0 -s 192.168.0.5 \
>> -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
>>
>> First tell me if above rule correct.
>
>
> Yes, that is one way to do it. The ""other way(s) have to do with
> ACCEPTing vs redirecting to another chain for additional testing.
>
>> Second I think I need first a rule to deny all IPs and MACs. Is that
>> correct ?
>
>
> Yes you will need a rule (or FORWARD policy) to not forward or DROP
> packets. I would put this at the end of your FORWARD chain (or at
> least the section that does your MAC to IP pairing) after you have
> decided what MAC IP pairs to allow through. Explicitly allow what you
> want to get out and then DROP or REJECT the rest of the chaff.
>
>> Howto first deny all IPs and MACs ?
>
>
> iptables -t filter -A FORWARD -i eth1 -o eth0 -j DROP
>
>> Thanks in advance
>
>
> No problem.
>
>
>
> Grant. . . .
>
>
The way i would handle the FORWARD chain in your scenario:
iptables -P FORWARD DROP <-- set the default policy to DROP, anything
not matched by the rules will hit the default policy, e.g. be dropped.
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
-j ACCEPT <- allow established & related packages back to the LAN.
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.5 -m mac --mac-source
XX:XX:XX:XX:XX:XX -j ACCEPT <-- accept requests to the WAN only for
particular ip with particular mac address.
regards,
Georgi Alexandrov
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-05-10 8:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-05 2:26 IP + MAC filter - doubt varun_saa
2005-05-05 3:43 ` Taylor, Grant
2005-05-10 8:38 ` Georgi Alexandrov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox