Please reply to the list. Mohammad Norouzi wrote: > Thanks Rob > so please tell me how to use it to filter INPUT or FORWARD? > I mean is it possible to filter any packet that are not coming from > the specific mac address? I want to prevent any IP cloning to access > the internet > -A INPUT -s 192.168.0.157 -m mac --mac-source ! 00:11:2F:29:96:84 \ > -j REJECT Well, this rule generates no error for me. Doesn't it for you? I think you're working the other way around. If you have a DROP policy and ACCEPT a match on IP and MAC I think you should be set. Alternatively, you can add a *last* rule that REJECT's everything that didn't match anything. -P INPUT DROP [...] -A INPUT -s 192.168.0.157 -m mac --mac-source 00:11:2F:29:96:84 \ -j ACCEPT or -A INPUT -s 192.168.0.157 -m mac --mac-source 00:11:2F:29:96:84 \ -j ACCEPT [...] -A INPUT REJECT [--reject-with ...] Grts, Rob > On 6/19/07, Rob Sterenborg <rob@xxxxxxxxxxxxxxx> wrote: >>> Hi All >>> I have following line to drop any request that is not from the >>> original computer and it works fine >>> -A PREROUTING -s 192.168.0.157 -p tcp -m mac --mac-source ! >>> 00:11:2F:29:96:84 -j DROP >>> >>> but now I want to change it to REJECT but it doesnt work and >>> iptables will fail >>> >>> -A PREROUTING -s 192.168.0.157 -p tcp -m mac --mac-source ! >>> 00:11:2F:29:96:84 -j REJECT --reject-with=icmp-host-pro hibited >>> >>> what is the problem? >> >> # man iptables >> >> REJECT >> [...] >> This target is only valid in the INPUT, FORWARD and OUTPUT chains, >> and user-defined chains which are only called from those chains. >> [...] >> >> The PREROUTING chain doesn't fit into this category thus REJECT >> cannot be used. >> >> >> Grts, >> Rob -- Disclaimer: Any errors in spelling, tact, or fact are transmission errors.