Re: iptables by mac
On 6/14/06, Adorean Alexandru Raul <araul@adonet.ro> wrote:
iptables -t nat -A PREROUTING -i eth1 -s <ip> -p tcp -m mac
--mac-source ! <mac> -j DROP
This my conf for restricting my users to the ip's i asign them... it
works just fine :)
Ah, yes! A reverse of this would be if you have an unauthorized system
on your network and you use DHCP, give them a static reservation to
give them the same IP everytime and block them this way. If all you
are wanting to do is a MAC filter of "known good" MACs, you can just
leave out the source and protocol.
ex.
iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac1> -j ACCEPT
iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac2> -j ACCEPT
iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac3> -j ACCEPT
iptables -t nat -A PREROUTING -i eth# -j DROP
You are just allowing the ones you know, and if it gets to the bottom
of the list without finding a match, it drops the traffic. This can
lead to a lot of overhead if you have a lot of systems, but for a home
network with only a few hosts, it would work very well. If you wanted
to, you could match state and only filter the new connections to cut
down on the frequency of this check.
Regards,
Daniel
Reply to: