[SOLVED] allows outgoing traffic for two mac address with iptables

tastiero · 03-24-2012, 07:22 AM

i'm using IPCOP like firewall for my lan.
i want to block outgoing traffic of all client except two mac address.
i use this rule for the first client:
iptables -I CUSTOMFORWARD -o eth1 -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP
when i insert the second rule with the second mac addres i have problems.
only one client works fine.
what's wrong?
thank you

smilemukul · 03-24-2012, 08:29 AM

First of all your first rule is incorrect, where -o is mentioned -i should be inserted in iptables -I CUSTOMFORWARD -o eth1 -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP & also in your first rule you are denying traffic to all which is taking precedence.

The correct rule,

1. First apply rule for the clients to accept for the two mac addresses as,
iptables -I OUTPUT -i eth1 -p tcp -m mac --mac-source <first mac address to accept> -j ACCEPT
iptables -I OUTPUT -i eth1 -p tcp -m mac --mac-source <Second mac address to accept> -j ACCEPT

2. Now drop/reject outgoing traffic for all clients as,
iptables -I OUTPUT -i eth1 -p tcp -j DROP

Note: Drop takes preceedence over Accept rule.

tastiero · 03-24-2012, 09:19 AM

thank you. i try and let you know

tastiero · 03-26-2012, 04:11 AM

i found the right solution:
iptables -A CUSTOMFORWARD -p tcp -o eth1 -m mac --mac-source <first mac address> -j ACCEPT
iptables -A CUSTOMFORWARD -p tcp -o eth1 -m mac --mac-source <second mac address> -j ACCEPT
iptables -A CUSTOMFORWARD -p tcp -o eth1 -j DROP

thanks smilemukul