Le mar 27/05/2003 à 11:49, Michael Stilmant a écrit : > On Tue, 2003-05-27 at 10:34, Cedric Blancher wrote: > > What about a layer 2 SNAT on OUTPUT chain from B to A for filtered > > packets ? > > ebtables can achieve this. > Well, I'll look in this solution. Thanks ... so you say it's possible > to make a filter in ebtables where I can say for all frame for ip:A port > X from port Y replace MAC with the #C value ? Not directly, because ebtables cannot match TCP fields. But it must be possible using fwmark propagation. iptables -t mangle -A OUTPUT -p tcp --sport Y -d A --dport X \ -j MARK --set-mark 0x01 Then, you SNAT in POSTROUTING using ebtables marked packets : ebtables -t nat -A POSTROUTING -m mark_m --mark 0x01 \ -j snat --to-source C_MAC I must admit I did not tried this, but I do think it should work, as long as output interface is a bridge (if not, packet won't go through ebtables framework). You didn't get any other answer for this on ebtables-user list ? I Cc ebtables-user, so one can confirm what I said below ;) -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
