On Mon, Jun 25, 2007 at 09:46:22PM +0200, Jordi Espasa Clofent wrote: > > > ^^^^^^^^^ this is a very bad example > > > > It's understandable example; so, it's enough. 127.x is always private to each host, so it is confusing. I just assumed it was one address that just came to your mind. > > > Why MAC and not IP addresses? > > > > IP addresses are very easy to change. The idea is only a two concrete boxes > with a concrete ubication can surfer the web freely. MAC addresses are easy too, only less known. > > > Yes, but ORing the two, all clients should have gone to the local http > > service. > > > > The best thing, in this case, is to use chains: > > > > iptables -t nat -N twoboxen > > iptables -t nat -N others > > > > iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen > > iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen > > iptables -t nat -A PREROUTING -j others > > > > iptables -t nat -A twoboxen -j ACCEPT > > iptables -t nat -A others -p tcp --dport 80 -j REDIRECT > > I think this is a "large" solution. Two iptables code lines should be > enough. I've modified the lines: > > iptables -t nat -A OUTOUT -p tcp -i eth1 -m mac --mac-source ! > xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 > iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! > xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 Two of these for each of the two hosts? That's what I don't understand. Let's suppose you have host A, B, C, D, E, and want only A and B to have access to the web. So, the rules would look like: 1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80 Ditto for -A OUTPUT. So, what happens when C, D or E send a packet? They don't match any mac address, so they will be DNAT'ed to 192.168.1.1. What about A? It doesn't match rule 1, but it matches rule 2, so it will be DNAT'ed also. And host B? It matches rule 1, so it is DNAT'ed. Thus the use of chains, to send each host to the proper chain and there do the work (dnat or don't dnat). > Of course, thank you for your help and comments Luciano. ;) Not at all. :) -- lfr 0/0
Attachment:
pgprDzsloAJ9k.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
