On Thu, December 22, 2005 14:46, Gábor Iglói wrote: > Hello! > > I'd like to restrict WLAN access to my server by using mac filtering > policy. Here is some of my iptables chains: > > #default prerouting drop policy and only allowing certain client NICs > based on mac address > iptables -t mangle -P PREROUTING DROP > iptables -t mangle -A PREROUTING -i wlan0 -m mac --mac-source > (physaddr of an allowed client NIC) -j ACCEPT > > These rules however doesn't stop unauthorized clients with foreign > mac addresses to successfully connect and obtain ip address from the > DHCP server running on the same machine - and I don't understand why. > The prerouting mangle chain is supposed to be passed by all packets, > right? If I drop all of the packets coming from unknown mac addressed > clients how can they still obtain the DHCP info? > > I'd like to know how to filter out all communication from all clients > and only allow authorized ones to connect to the DHCP server. Why don't you use the filter table ; that is what it's for.. If you use state matching, you only need to accept the NEW packets for mac addresses you want to, together with RELATED and ESTABLISHED packets. iptables -P INPUT DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state NEW -i wlan0 -m mac \ --mac-source <client_mac1> -j ACCEPT iptables -A INPUT -m state --state NEW -i wlan0 -m mac \ --mac-source <client_mac2> -j ACCEPT Gr, Rob
