Hi,
I recommend you to use the following script:
#!/bin/sh
# Deleting all existing rules in all chains
# and theleting user created chains
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -X
iptables -t filter -X
iptables -t mangle -X
# Setting the default policy to DROP, so those packets which are not
# ACCEPT-ed are dropped at the end
iptables -P FORWARD DROP
# Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allowing outgoing packets from specific users with correct mac
# addresses.
# Add same line for each client with proper ip and mac addresses
iptables -A FORWARD -s 192.168.10.2 -m mac --mac-source\
00:11:22:33:44:55 -j ACCEPT
# Allowing all incomming packets which belongs to a clients
# connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
---
You should consider the INPUT and OUTPUT chains on your router, and to
set them proper rules regarding your needs.
Also you'll need connection tracking support from the kernel.
The 'ip_conntrack' and similar modules will be useful if you don't have
connection tracking support compilled into the kernel itself.
I hope this will help!!!
Regards: Ilia Lindov
Sorin Capra wrote:
Hello guys
I don't know if this thing has been posted before (if it was , please
forgive me).
I have 7 computers at home and I want all of them to have access to the
internet. In order to do that , I set up a linux router (2 network
cards) as a usual router (eth0 : 82.77.69.75 - internet connection ;
eth1 : 192.168.10.1 - local network) . The other computers have ips
ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades
the other computers. The problem I have is that I want to do the
masquerading based on mac AND the ip not only on the ip (so if I change
the ip on a computer and use another ip from another computer which is
down , the masquerading process shouldn't work)
What I came up with is this :
-
#!/bin/sh
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -F -t nat
$ipt -t filter -N computer1 >/dev/null 2>&1
$ipt -t filter -N computer2 >/dev/null 2>&1
$ipt -t filter -N computer3 >/dev/null 2>&1
$ipt -t filter -N computer4 >/dev/null 2>&1
$ipt -t filter -N computer5 >/dev/null 2>&1
$ipt -A FORWARD -s 192.168.10.2 -j computer1
$ipt -A FORWARD -s 192.168.10.3 -j computer2
$ipt -A FORWARD -s 192.168.10.4 -j computer3
$ipt -A FORWARD -s 192.168.10.5 -j computer4
$ipt -A FORWARD -s 192.168.10.6 -j computer5
$ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT
$ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT
$ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT
$ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT
$ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT
$ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE
#$ipt -P FORWARD DROP
If I uncomment the last line ("#$ipt -P FORWARD DROP") the router
won't forward any packets. What am I doing wrong ?
Thank
you in advance,
Sorin
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
