127.x is always private to each host, so it is confusing. I just assumed
it was one address that just came to your mind.
Ok. It's a typo: I wanted to write 172.26.0.0/24 :P
MAC addresses are easy too, only less known.
Yes, of course. Almost for advanced users or sysadmins. But in this case
the LAN clients are Win machines with "normal" users. I think they don't
know even what's a MAC address.
Two of these for each of the two hosts? That's what I don't understand.
Let's suppose you have host A, B, C, D, E, and want only A and B to have
access to the web. So, the rules would look like:
1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80
2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
Ditto for -A OUTPUT.
So, what happens when C, D or E send a packet? They don't match any mac
address, so they will be DNAT'ed to 192.168.1.1.
What about A? It doesn't match rule 1, but it matches rule 2, so it will
be DNAT'ed also.
And host B? It matches rule 1, so it is DNAT'ed.
Thus the use of chains, to send each host to the proper chain and there
do the work (dnat or don't dnat).
Now I see it! You have all the reason: I've missunderstood the process,
so the use of chain will be the correct strategy.
;)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos