Ok, so the firewall rules I am currently using are displayed below.
# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS
# ALLOW DHCP THROUGH THE FIREWALL
iptables -t nat -A PREROUTING -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j DNAT --to 255.255.255.255:67-68 # ALLOW DHCP
iptables -A FORWARD -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j ACCEPT # ALLOW DHCP
# ALLOW DNS TRAFFIc
iptables -A FORWARD -p udp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p udp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p tcp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
# ALLOW HTTP TRAFFIC
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A REQUEST
iptables -A FORWARD -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A RESPONSE
# Redirect HTTP REQUESTS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80
Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed... As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.
Is there anyway of doing this? Or something similiar, or if it comes down to it, a way of doing this before the above iptables rules?
For those that are interested my setup atm is currently that of a Wireless Access Portal, the computer that these commands are being executed are between a wireless access point and my network... This computer has 2 NIC's bridged.
When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.
Gateway <--- Bridged Firewall <--- Wireless Access Point
Any assistance that can be provided is greatly appreciated!