Taylor, Grant wrote:
A FORWARD -i eth1 -o eth0 -s 192.168.0.5 \ -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
First tell me if above rule correct.
Yes, that is one way to do it. The ""other way(s) have to do with ACCEPTing vs redirecting to another chain for additional testing.
Second I think I need first a rule to deny all IPs and MACs. Is that correct ?
Yes you will need a rule (or FORWARD policy) to not forward or DROP packets. I would put this at the end of your FORWARD chain (or at least the section that does your MAC to IP pairing) after you have decided what MAC IP pairs to allow through. Explicitly allow what you want to get out and then DROP or REJECT the rest of the chaff.
Howto first deny all IPs and MACs ?
iptables -t filter -A FORWARD -i eth1 -o eth0 -j DROP
Thanks in advance
No problem.
Grant. . . .
The way i would handle the FORWARD chain in your scenario:
iptables -P FORWARD DROP <-- set the default policy to DROP, anything not matched by the rules will hit the default policy, e.g. be dropped.
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT <- allow established & related packages back to the LAN.
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.5 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT <-- accept requests to the WAN only for particular ip with particular mac address.
regards, Georgi Alexandrov
