On Wed, October 5, 2005 08:44, Winanjaya - PBXSoftwares wrote: ... >> > > Ah, one other comment: this might be better structured using a >> > > user-defined chain. >> >> (Hold that thought ...) ... >> Think about this. Look at the first rule: >> > -A RH-Lokkit-0-50-INPUT -m mac -s 172.16.2.240/29 ! --mac-source >> > 00:12:95:6d:0a:3e -j DROP >> >> If the source IP is in 172.16.2.240/29 and the MAC address is *not* >> 00:12:95:6d:0a:3e, drop the packet. Your second and subsequent MAC >> rules will never be used, because those packets are already dropped. >> >> That's why I'd use another chain for this. Put an ACCEPT rule in the >> calling chain after the jump to your new chain. Use -j RETURN rules >> for your permitted MAC addresses, and a -j DROP rule at the end of >> your new chain. >> >> I hope you do understand about MAC filtering: it only works when >> your packets originated on the same physical segment. Anything from >> outside your physical segment will come to you with the MAC address >> of your upstream router. > I am really sorry that I am not sure that I already understood what > you mean exactly.. could you please give me a simple example for > this? .. > thanks a lot in advance ...[rules]... # If the source IP is in 172.16.2.240/29, jump to a user defined chain. $ipt -A INPUT -s 172.16.2.240/29 -j MAC-CHECK ...[other rules]... # User defined chain. # RETURN to built-in chain INPUT if the MAC address matches # Otherwise, DROP the packet $ipt -N MAC-CHECK $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:6d:0a:3e -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:61:14 -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:62:29 -j RETURN $ipt -A MAC-CHECK -m mac --mac-source 00:12:95:15:63:ba -j RETURN $ipt -A MAC-CHECK -j DROP Gr, Rob
