~ FORWARD_MAC_FILTER implemented which filters by mac address in the FORWARD...

~ FORWARD_MAC_FILTER implemented which filters by mac address in the FORWARD chain. That was a quick 1-min hack session.

ipturntables.8

@@ -308,6 +308,14 @@ FORWARD_SUBNET_PROTECTIVE to allow a subnet to reach the outgoing WAN link
 or FORWARD_SUBNET when subnets should be masqueraded internally which is
 an unusual setup but nevertheless possible.
 
+.SS FORWARD_MAC_FILTER \fRmac address
+
+Filters any traffic with the desired mac address on the FORWARD chain may it be either in- or outbound traffic. This suppresses any routing of the specified host through the router.
+.P
+eg: FORWARD_MAC_FILTER 00:de:ea:be:ef:00
+.P
+This is useful for isolating a specific host behind a firewall where any traffic between the host with the given mac to the outer world must be prevented while traffic in the local network is still possible.
+
 .SS ALLOW_DHCP_CLIENT \fRlink
 
 Allows a DHCP client request (Ports 67, 68 (IPv4) & 546, 547 (IPv6)) to pass on the desired link only. Is some cases this is necessary before calling ALLOW_SUBNET as that would require a fully configured IP address.

ipturntables.sh

@@ -839,6 +839,16 @@ formatSubnetAsHexID() {
 				shift; shift
 				;;
 
+			FORWARD_MAC_FILTER)
+				printf "# filtering '%s' MAC address in FORWARD chain.\n" $1 $DEV $2 $sz
+
+				ID=$(printf "FORWARD_MAC_FILTER %s" ${1//:/})
+				deleteRules FORWARD "$ID"
+
+				$IPTABLES -I FORWARD 1 -m mac --mac-source $1 -j DROP -m comment --comment "$ID"
+				shift
+				;;
+
 			FORWARD_PORT_FORWARDING)
 				#$IPTABLES -A FORWARD -i eth0 -p tcp --dport 80 -d YOUR_INTERNAL_HOST -j ACCEPT
 				;;
@@ -873,6 +883,7 @@ formatSubnetAsHexID() {
 				unset ID;
 				;;
 
+
 			DEBUG_CHAIN)
 				$IPTABLES -nvL $1 1>/dev/nul 2>/dev/nul
 				(( $? != 0 )) && error 83 "DEBUG_CHAIN expects a chain name argument. A chain called '$1' was not found."