Various Iptables Tricks

> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> iptables -t nat -P PREROUTING DROP
> # Box 1
> iptables -t nat -A PREROUTING -m mac –mac-source 00:50:da:e3:f3:45 -j
> ACCEPT
> # Box 2
> iptables -t nat -A PREROUTING -m mac –mac-source 00:d0:b7:18:0f:f5 -j
> ACCEPT
>
> Now this works as expected, all packets from the two MAC addresses above are
> masq’ed and routed, anything from any other MAC address is DROP’ed.

mmh… but it is a bit unclean to drop packets in the nat table. You want
to filter packets, so use the filter table. Why? Because it is
– unclean
– only the first packet of each connection hits the nat table.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t filter -N restr
iptables -t filter -A restr -p tcp –dport 25 -j DROP

iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m mac –mac-source 00:50:da:e3:f3:45 -j ACCEPT
iptables -t filter -A FORWARD -m mac –mac-source 00:d0:b7:18:0f:f5 -j restr

More…

iptables -P INPUT DROP
iptables -A INPUT -m mac –mac-source 00:14:BF:7A:4D:2D -j ACCEPT
iptables -A INPUT -m mac –mac-source 00:18:DE:A5:00:41 -j ACCEPT