Commit ad86332b authored by Branko Mikić's avatar Branko Mikić
Browse files

~ FORWARD_MAC_FILTER implemented which filters by mac address in the FORWARD...

~ FORWARD_MAC_FILTER implemented which filters by mac address in the FORWARD chain. That was a quick 1-min hack session.
parent ec69f852
......@@ -308,6 +308,14 @@ FORWARD_SUBNET_PROTECTIVE to allow a subnet to reach the outgoing WAN link
or FORWARD_SUBNET when subnets should be masqueraded internally which is
an unusual setup but nevertheless possible.
Filters any traffic with the desired mac address on the FORWARD chain may it be either in- or outbound traffic. This suppresses any routing of the specified host through the router.
eg: FORWARD_MAC_FILTER 00:de:ea:be:ef:00
This is useful for isolating a specific host behind a firewall where any traffic between the host with the given mac to the outer world must be prevented while traffic in the local network is still possible.
Allows a DHCP client request (Ports 67, 68 (IPv4) & 546, 547 (IPv6)) to pass on the desired link only. Is some cases this is necessary before calling ALLOW_SUBNET as that would require a fully configured IP address.
......@@ -839,6 +839,16 @@ formatSubnetAsHexID() {
shift; shift
printf "# filtering '%s' MAC address in FORWARD chain.\n" $1 $DEV $2 $sz
ID=$(printf "FORWARD_MAC_FILTER %s" ${1//:/})
deleteRules FORWARD "$ID"
$IPTABLES -I FORWARD 1 -m mac --mac-source $1 -j DROP -m comment --comment "$ID"
#$IPTABLES -A FORWARD -i eth0 -p tcp --dport 80 -d YOUR_INTERNAL_HOST -j ACCEPT
......@@ -873,6 +883,7 @@ formatSubnetAsHexID() {
unset ID;
$IPTABLES -nvL $1 1>/dev/nul 2>/dev/nul
(( $? != 0 )) && error 83 "DEBUG_CHAIN expects a chain name argument. A chain called '$1' was not found."
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment