* drop by mac address, but only to packets to other interface
@ 2006-11-08 0:39 Branko Kokanovic
2006-11-08 7:52 ` Jasbir Khehra
0 siblings, 1 reply; 2+ messages in thread
From: Branko Kokanovic @ 2006-11-08 0:39 UTC (permalink / raw)
To: netfilter
hi all,
I'm pretty layman on this topic. I have two interfaces, one in local
network (192.168.0.0) and other to isp. Now, I want to block certain
mac address from local network from reaching internet, but i want to
allow him to reach server (for samba, etc...). I tried several
commands, read on manuals, but all I can get is either all or none
(either that mac address have internet access and server access, or he
can't get to internet and server at all ("server" is at 192.168.0.1))
I hope I said all relevant details, if not, ask me and I'll try to tell
Here is my script I use, if that can help a bit:
................
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# I tried this
#iptables -A PREROUTING -t nat -p ALL -m mac --mac-source
00:15:F2:33:B5:92 -j DROP
# and this
#iptables -A FORWARD -p ALL -m mac --mac-source 00:15:F2:33:B5:92 -j DROP
Thanks in advance, Branko Kokanovic
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: drop by mac address, but only to packets to other interface
2006-11-08 0:39 drop by mac address, but only to packets to other interface Branko Kokanovic
@ 2006-11-08 7:52 ` Jasbir Khehra
0 siblings, 0 replies; 2+ messages in thread
From: Jasbir Khehra @ 2006-11-08 7:52 UTC (permalink / raw)
To: Branko Kokanovic; +Cc: netfilter
Branko Kokanovic wrote:
> hi all,
> I'm pretty layman on this topic. I have two interfaces, one in local
> network (192.168.0.0) and other to isp. Now, I want to block certain
> mac address from local network from reaching internet, but i want to
> allow him to reach server (for samba, etc...). I tried several
> commands, read on manuals, but all I can get is either all or none
> (either that mac address have internet access and server access, or he
> can't get to internet and server at all ("server" is at 192.168.0.1))
>
> I hope I said all relevant details, if not, ask me and I'll try to tell
>
> Here is my script I use, if that can help a bit:
> ................
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
>
> # I tried this
> #iptables -A PREROUTING -t nat -p ALL -m mac --mac-source
> 00:15:F2:33:B5:92 -j DROP
No need for this rule .This drops all packets both inbound for your
server and outbound through your server to the Internet
> # and this
> #iptables -A FORWARD -p ALL -m mac --mac-source 00:15:F2:33:B5:92 -j DROP
The rule is correct but it wont match any packets because packets
matching this mac address are also matching the earlier "-i $INTIF -o
$EXTIF -j ACCEPT" rule. Just be careful of the flow. Change "-A" to "-I"
HTH,
Jasbir.
>
>
> Thanks in advance, Branko Kokanovic
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-11-08 7:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-08 0:39 drop by mac address, but only to packets to other interface Branko Kokanovic
2006-11-08 7:52 ` Jasbir Khehra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox