iptables syntax

Ge64 · 08-19-2003, 02:27 AM

Hi folks !

My question is rather simple, for anyone who knows the answer, of course

In an iptables script, what separator can I use between two mac-adresses ?

I use iptables as a firewall to filter the requests depending on the source mac address, for example, I have the rules

iptables -A FORWARD -m state -state NEW -m mac -mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -A FORWARD -m state -state NEW -m mac -mac-source yy:yy:yy:yy:yy:yy -j ACCEPT
iptables -A FORWARD -m state -state NEW -m mac -mac-source zz:zz:zz:zz:zz:zz -j ACCEPT
and so on...

and I would like to use one single rule, to group all the MAC adds in only one line, such as

iptables -A FORWARD -m state -state NEW -m mac -mac-source xx:xx:xx:xx:xx:xx "sep" yy:yy:yy:yy:yy:yy "sep" zz:zz:zz:zz:zz:zz -j ACCEPT

where "sep" is the expected separator.

Thanks in advance !

Mathieu · 08-19-2003, 01:10 PM

You can try to use the comma (,)
However, according to the MAN page for iptables, you can only speficy one MAC per rule.

Tell me if I am wrong.

Bonne chance

Ge64 · 08-20-2003, 02:33 AM

Here is a solution :

Quote:

for mac in ${MAC_ADDRESSES}; do
iptables -A FORWARD -m state -state NEW -m mac --mac-source {mac} -j ACCEPT
done

I previously tried the comma, unsuccessfully. A separator may exist, but I still do not know about it.

A la prochaine !

Half_Elf · 08-20-2003, 10:56 PM

wow, nice rules really LOL

what's about just using 3 lines only for the three mac adress?

iptables will "jump" to the next line if the first one isn't matching.