Hey, don't forget.. the firewall will only see the MAC of the routers (from experience) unless the routers pass the MAC address across when routed... but AFAIK they don't.. so -m mac is useless in this scenario... -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Cedric Blancher Sent: Friday, August 01, 2003 5:53 PM To: Leonardo Pires Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Reject Mac-Address Le ven 01/08/2003 à 05:20, Leonardo Pires a écrit : > I have the following scenario: > internet--router---firewall---router---clients > I have the mac_address of all clients, and I need to reject some > clients in the firewall using the mac_address, someone know how can I > do it ? You will do source MAC address based filtering. Use mac match : cbr@xxxxxxx:~$ iptables -m mac --help iptables v1.2.7a [...] MAC v1.2.7a options: --mac-source [!] XX:XX:XX:XX:XX:XX Match source MAC address Suppose you want to deny access to a host considering its MAC address : iptables -A FORWARD -m mac --mac-source $FORBIDEN_MAC -j DROP -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
