What you are proposing would be a nightmare to develop. Since you say you can't change any client configuration, you run into a ton of issues. Many of these have nothing to do with IPTables directly.
1. Since the client (some at least) will be already configured with an IP address and default gateway, the client will not no how to send packets to your IPTables box. Your box won't even look at the packets from this machine as they are not destined for it. You would have to have your IPtables ARP for EVERY default gateway used by every client. 2. Additionally, you would have to add a routing entry for each client that wants to access the network. You cannot use a default / blanket route statement as you could have ANY IP address oin your network. 3. You would conceivibly run into multiple machines with the same IP address. There would be no way to determine which machine was supposed to accept which packets. This is more at the kernel level where it associates the IP address with a single MAC address. 4. You would have to know the client configuration before you start. You would have to enter that information into the firewall before they can connect. OR.. You'd have to snoop the interface and look for strange packets then process those packets and insert proper entries into the firewall configuration. Theoretically, it would be possible to do. You would have the issues I outlined above. Its possible, just not a good idea IMHO. My question, why can't you use DHCP? It is a simple protocol to implement and most machines support it. I have seen many hotels, conference centers, 802.11 networks, etc that require you to change minor configuration settings. ----- Original Message ----- From: "Eduardo GARCIA" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 5:47 AM Subject: RE: can iptables do this? > OK, I'll try to explain it better (sorry, but my english is poor :(( ) > > > Hi, > > I want to built a network that allows http navigation to any host that is > plugged on it, without any change on its configuration. This can be useful, for > example, in a hotel, where they want to provide > web navigation to their customers without the need to change any configuration, > just plug & web. > > > >>Me neither, what are you aiming at, security tied down to the > >>mac address? > > I'm not thinking in security, just in providing connection. > > For example my network is 1.2.3.0 and I want that a host with an IP from any > unknown network (i. e. > 10.9.8.7) can navigate. > > First of all, the host will send arp requests to find the > MAC of its DNS server, nobody will send a response because it's looking for a > host in other network, > but I'll have to redirect it to my DNS in order to allow navigation, then it > will look > for its default gateway, etc (I can't work with mobile IP, BOOTP, DHCP, RARP, > nor change any host > configuration). > > Not any host is allowed to do this, only hosts with known MACs (only customers > in my hotel). > > > Has anybody implemented a solution for a similar challenge? Any idea? > > Thank you in advance. > > > > > >>Otherwise, I don't see how it is useful since for the MAC address to have > >>any meaning, it's gotta be a neighbor w.r.t. OSI layer 1 > >>(I think it's layer 1 anyhoo). > > Their MAC address is the only information I have, I prefer to work with IP :( > > > >>In any case, there is in fact a mac iptables target: > > >> mac > >> --mac-source [!] address > >> Match source MAC address. It must be of the form > >>XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering > >> the PREROUTING, FORWARD or INPUT chains for packets coming from > an > >>ethernet device. > > >>Which can be the predicate for some applicable rule. > > But the problem is: How can i forward and mangle an arp request?? > > >
