Quote:
Originally Posted by hertzzmang
Hi,
I have IPTABLES setup on a internet gateway/firewall. It is all working but I currently need to set up some sort of filtering so that everyone doesn't get access to the internet.
Currently, IPTABLES is set up to allow anyone behind eth0 on the local network to gain access to the net.
What I would like is to be able to add specific mac addresses into my script and then have a default drop rule (so that if a mac address isn't in the list, it will not be able to access the FORWARD chain to get on the internet).
Only problem is, I have tried making custom chains etc.. to try and get Mac filtering working but I can't seem to work out the correct DROP policy I need to reject non-maclist clients. Not really sure of the order that the rules need to go in (or even the exact rules to use seeing as I have FORWARD rules which are set to ACCEPT.
All chains are set to DROP.
My FORWARD policies are:
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT_IF -o $EXT_IF -j ACCEPT
Thanks in Advance!
|
something like this could work
Code:
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
or even
Code:
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m mac --mac-source ! XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
to allow everything but this one address.
or
Code:
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m mac --mac-source ! XX:XX:XX:XX:XX:XX -j DROP
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
to drop everything but that one mac address