On Mon, Jun 25, 2007 at 06:20:04PM +0200, Jordi Espasa Clofent wrote:
> Hi all,
>
> I've a CentOS box which as two NIC; this box is also a router for LAN
> subnet:
>
> ------------------------------------
> | eth0 (external) 172.0.0.1 |
^^^^^^^^^ this is a very bad example
> | eth1 (internal) 192.168.1.1 |
> ------------------------------------
> |
> LAN clients (192.168.1.2+)
>
> I want to allow http acces only for two LAN boxes; an only http access,
> which means that others protocols as smtp, pop3, imap and so on will be
> permited. The rest of LAN boxes will be redirected to a local http service
> (192.168.1.1:80)
>
> I think the best way is creating a iptables rules based on MAC address.
Why MAC and not IP addresses?
> So,
> the rules I've made are:
>
> iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source !
> xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
>
> iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source !
> xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
>
> Please, note the exclamation symbol, which means a logical negation.
Yes, but ORing the two, all clients should have gone to the local http
service.
The best thing, in this case, is to use chains:
iptables -t nat -N twoboxen
iptables -t nat -N others
iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen
iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen
iptables -t nat -A PREROUTING -j others
iptables -t nat -A twoboxen -j ACCEPT
iptables -t nat -A others -p tcp --dport 80 -j REDIRECT
--
lfr
0/0
Attachment:
pgpu1rCxg2A17.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
