On Tuesday 18 February 2003 10:40 am, hare ram wrote:
> Hi all
>
> In my LAN, i have lot of MAC address, ( pc's)
> how do i make a rule for 100 MAC address (PC) to allow
> and any other MAC address to Deny
>
> any suggestions
> thanks
> hare
You have to match each MAC individually, one at a time. If there is no
other acceptable filtering criteria (IP + incoming interface, for
example) then your best bet is something like this:
iptables -N MACtest
iptables -A MACtest -m mac --mac-source 00:11:22:33:44:55 -j RETURN
iptables -A MACtest -m mac --mac-source 00:11:22:33:44:66 -j RETURN
[... etc with all 100 MACs in individual rules, followed by ...]
iptables -A MACtest -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW -j MACtest
iptables -A FORWARD {ordinary rules from here on in FORWARD}
This will take any NEW traffic coming from eth0 to be forwarded and pass
ALL of it to the user-defined MACtest chain, which will RETURN
acceptable MACs back to FORWARD for continued processing, and DROP any
that don't match up with one of the rules. ( This way only the NEW
packets have to traverse potentially 101 extra rules before ordinary
matching in FORWARD continues.) You can call the same user-def chain
from INPUT as well, or instead.
Keep in mind that a script can build the MACtest chain in a loop, reading
the MAC addresses from a separate textfile and appending the DROP
'policy' after the loop completes.
j
