kannel sms wrote:As u said i did all , but it will not reach my requirement, because when i added that rule with a specific MAC address , according to ur mail it will allow to get all the dhcp facilities . But other machines also doing samething . so seems to be somewhere has a small problem , You said in one of your other postings that you're new to iptables. Have you read this tutorial yet? http://iptables-tutorial.frozentux.net/ This is required reading for anyone who is serious about using iptables. Some other advice: i will give u my tabless info iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP You also said you're testing with a small LAN. Set the default policies to ACCEPT until you've got every thing working. Once iptables is correctly configured very few, if any, packets will reach the end of these chains and you can safely change this back to DROP. Make sure you clear all your previous rules and chains before running this script or you will just be adding rules on top of rules. ####################################################################################################################### iptables -A INPUT -i lo -m state --state NEW -j ACCEPT iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state NEW -j ACCEPT Don't bother with this stuff until you have your MAC filtering working correctly. Then you can add these types of rules back in. I find it easier to group all the rules together by table rather than by type, but as long as they're entered in the correct order it doesn't matter to iptables. #################################################################################################################### iptables -N MACcheck iptables -A MACcheck -m mac --mac-source 00.50.BA.50.36.25 -j ACCEPT iptables -A MACcheck -j DROP iptables -I INPUT -i eth0 -j MACcheck These look ok except the last line should have -A INPUT. ###################################################################################################################### iptables -A INPUT -p udp -s 192.168.30.0/24 --dport 67 -i eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 67 -i eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPT iptables -A INPUT -p udp -s 192.168.30.0/24 --dport 68 -i eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 68 -i eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPT If you fix the first INPUT rule then none of your traffic from eth0 will ever reach these rules. Since you're directing traffic from eth0 to the MACcheck chain you should put these rules on MACcheck. Follow Antony's advice and put in lots of logging rules so you can see where the traffic is going and why. Jeff |
