> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Jiann-Ming Su > Sent: Tuesday, August 30, 2005 9:50 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Allowing access only some sites - onely some mac address > > On 8/29/05, Sebastião Antônio Campos (GWA) > <sa.campos@xxxxxxxxxxxxxxxx> > wrote: > > > > Dears, > > > > I'd like to allow access only to some sites by some mac address. > > > > For example: > > > > I have a list of the mac address 00:0c:6E:11:E8:B0, > 00:D8:02:D8:C8:DF, > > 00:E7:05:C9:07:EA............ and and I'd like that only these mac > > address could access only the following IP: 200.221.2.128 > > <http://200.221.2.128>, > > 200.221.2.129 <http://200.221.2.129>, > > 200.221.2.130 <http://200.221.2.130>, 200.221.2.131 > > <http://200.221.2.131>, > > 200.205.144.75 <http://200.205.144.75>, > 200.205.144.76<http://200.205.144.76>. > > But the other > > mac address could access everything. > > > > IIRC, MAC addresses (layer 2) do not go beyond the router > (layer 3). I think you can only do what you are proposing if > all your boxes are behind the same broadcast domain. > > -- > Jiann-Ming Su > "I have to decide between two equally frightening options. > If I wanted to do that, I'd vote." --Duckman > That is correct. When a packet passes through a router, it comes out the other side with the router's MAC, not the original computer's MAC. I imagine there's an RFC that goes along with this but I discovered it using MAC filtering on an iptables firewall about a year ago. Derick Anderson
