On 6/14/06, Adorean Alexandru Raul <[EMAIL PROTECTED]> wrote:
iptables -t nat -A PREROUTING -i eth1 -s <ip> -p tcp -m mac --mac-source ! <mac> -j DROP This my conf for restricting my users to the ip's i asign them... it works just fine :)
Ah, yes! A reverse of this would be if you have an unauthorized system on your network and you use DHCP, give them a static reservation to give them the same IP everytime and block them this way. If all you are wanting to do is a MAC filter of "known good" MACs, you can just leave out the source and protocol. ex. iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac1> -j ACCEPT iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac2> -j ACCEPT iptables -t nat -A PREROUTING -i eth# -m mac --mac-source <mac3> -j ACCEPT iptables -t nat -A PREROUTING -i eth# -j DROP You are just allowing the ones you know, and if it gets to the bottom of the list without finding a match, it drops the traffic. This can lead to a lot of overhead if you have a lot of systems, but for a home network with only a few hosts, it would work very well. If you wanted to, you could match state and only filter the new connections to cut down on the frequency of this check. Regards, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
