Hi,
I recommend you to use the following script: ------------------------------------------------ #!/bin/sh
# Deleting all existing rules in all chains # and theleting user created chains iptables -t nat -F iptables -t filter -F iptables -t mangle -F iptables -t nat -X iptables -t filter -X iptables -t mangle -X
# Setting the default policy to DROP, so those packets which are not # ACCEPT-ed are dropped at the end iptables -P FORWARD DROP
# Masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allowing outgoing packets from specific users with correct mac
# addresses.
# Add same line for each client with proper ip and mac addresses
iptables -A FORWARD -s 192.168.10.2 -m mac --mac-source\ 00:11:22:33:44:55 -j ACCEPT
# Allowing all incomming packets which belongs to a clients # connection iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -----------------------------------------------------------------------
You should consider the INPUT and OUTPUT chains on your router, and to set them proper rules regarding your needs.
Also you'll need connection tracking support from the kernel.
The 'ip_conntrack' and similar modules will be useful if you don't have connection tracking support compilled into the kernel itself.
I hope this will help!!!
Regards: Ilia Lindov
Sorin Capra wrote:
Hello guys
I don't know if this thing has been posted before (if it was , please forgive me).
I have 7 computers at home and I want all of them to have access to the internet. In order to do that , I set up a linux router (2 network cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; eth1 : 192.168.10.1 - local network) . The other computers have ips ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades the other computers. The problem I have is that I want to do the masquerading based on mac AND the ip not only on the ip (so if I change the ip on a computer and use another ip from another computer which is down , the masquerading process shouldn't work)
What I came up with is this :
-------------------------
#!/bin/sh
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -F -t nat
$ipt -t filter -N computer1 >/dev/null 2>&1
$ipt -t filter -N computer2 >/dev/null 2>&1
$ipt -t filter -N computer3 >/dev/null 2>&1
$ipt -t filter -N computer4 >/dev/null 2>&1
$ipt -t filter -N computer5 >/dev/null 2>&1
$ipt -A FORWARD -s 192.168.10.2 -j computer1
$ipt -A FORWARD -s 192.168.10.3 -j computer2
$ipt -A FORWARD -s 192.168.10.4 -j computer3
$ipt -A FORWARD -s 192.168.10.5 -j computer4
$ipt -A FORWARD -s 192.168.10.6 -j computer5
$ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT
$ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT
$ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT
$ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT
$ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT
$ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE
#$ipt -P FORWARD DROP
--------------------
If I uncomment the last line ("#$ipt -P FORWARD DROP") the router won't forward any packets. What am I doing wrong ? Thank you in advance,
Sorin
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/