On Sat, Oct 23, 2010 at 5:33 PM, Andrew Beverley <andy@xxxxxxxxxxx> wrote: > On Sat, 2010-10-23 at 17:19 -0500, Scott Mayo wrote: >> I have my DHCP server setup so that it hands out IP adresses according >> to a machine's Mac address. ÂIs there a way to deny traffic to the >> internet by both MAC address and IP address? >> >> i.e. ÂIf MAC address 00:11:22:33:44:55 is given IP address 192.168.0.1 >> by DHCP then that should be the only combo that can get to the outside >> world. ÂIf the IP address is changed to something else or if another >> machine that has a different MAC address is given the IP address >> 192.168.0.1 statically, then in neither situation should the machine >> be able to get out to the world. > > Something like this... > > > Set your default policy to drop: > > iptables -t mangle -P FORWARD DROP > > Then set up a rule for each client that matches both IP address and MAC: > > iptables -t mangle -A FORWARD -s 1.2.3.4 \ > Â Â Â Â-m mac --mac-source aa:aa:aa:aa:aa:aa -j ACCEPT > > > > Andy > > > Thanks for the help everyone. I will try this out next week. I figured there was a way to do it, but I am still not the greatest with IPTABLES. Not sure that I have ever done anything with the mangle table. Thanks again. -- Scott -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
