Hi all,
I've a CentOS box which as two NIC; this box is also a router for LAN
subnet:
------------------------------------
| eth0 (external) 172.0.0.1 |
| eth1 (internal) 192.168.1.1 |
------------------------------------
|
LAN clients (192.168.1.2+)
I want to allow http acces only for two LAN boxes; an only http access,
which means that others protocols as smtp, pop3, imap and so on will be
permited. The rest of LAN boxes will be redirected to a local http
service (192.168.1.1:80)
I think the best way is creating a iptables rules based on MAC address.
So, the rules I've made are:
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac
--mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination
192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac
--mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination
192.168.1.1:80
Please, note the exclamation symbol, which means a logical negation.
But it seems doesn't work correctly: all the LAN clients can suffer the web.
?????
On Mon, Jun 25, 2007 at 06:20:04PM +0200, Jordi Espasa Clofent wrote:> Hi all, > > I've a CentOS box which as two NIC; this box is also a router for LAN > subnet: > > ------------------------------------ > | eth0 (external) 172.0.0.1 |^^^^^^^^^ this is a very bad example> | eth1 (internal) 192.168.1.1 | > ------------------------------------ > | > LAN clients (192.168.1.2+) > > I want to allow http acces only for two LAN boxes; an only http access, > which means that others protocols as smtp, pop3, imap and so on will be > permited. The rest of LAN boxes will be redirected to a local http service > (192.168.1.1:80) > > I think the best way is creating a iptables rules based on MAC address.Why MAC and not IP addresses?> So, > the rules I've made are: > > iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! > xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 > > iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! > xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 > > Please, note the exclamation symbol, which means a logical negation.Yes, but ORing the two, all clients should have gone to the local http service. The best thing, in this case, is to use chains: iptables -t nat -N twoboxen iptables -t nat -N others iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen iptables -t nat -A PREROUTING -j others iptables -t nat -A twoboxen -j ACCEPT iptables -t nat -A others -p tcp --dport 80 -j REDIRECT -- lfr 0/0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20070625/650588a4/attachment-0001.sig>
> ^^^^^^^^^ this is a very bad example >It's understandable example; so, it's enough.> Why MAC and not IP addresses? >IP addresses are very easy to change. The idea is only a two concrete boxes with a concrete ubication can surfer the web freely.> Yes, but ORing the two, all clients should have gone to the local http > service. > > The best thing, in this case, is to use chains: > > iptables -t nat -N twoboxen > iptables -t nat -N others > > iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen > iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen > iptables -t nat -A PREROUTING -j others > > iptables -t nat -A twoboxen -j ACCEPT > iptables -t nat -A others -p tcp --dport 80 -j REDIRECTI think this is a "large" solution. Two iptables code lines should be enough. I've modified the lines: iptables -t nat -A OUTOUT -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 Of course, thank you for your help and comments Luciano. ;)