Results 1 to 3 of 3

Thread: Iptables rules – Access by MAC and redirect

  1. #1
    Tom Tom
    Guest

    Iptables rules – Access by MAC and redirect

    Hello

    I am new here and i want to say Hi to Everybody!

    And I have a questions. I want to write Linux firewall iptables rules.
    I want to block internet access to all users and allow by MAC
    addresses. Oh and when someone isn’t on access list to redirect him to
    web page with information.

    I start writing rules:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -F
    iptables -X
    iptables -t nat -X
    iptables -t nat -F
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP

    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

    iptables -A FORWARD -m mac --mac-source 00:1F:D0:0D:4A:5A -j ACCEPT
    iptables -A FORWARD -j ACCEPT -m state --state RELATED,ESTABLISHED

    but I don’t know how to redirect blocked users to web page
    information.

    All the best
    TomTom

  2. #2
    D. Stussy
    Guest

    Re: Iptables rules – Access by MAC and redirect

    "Tom Tom" <tomtomlx13@gmail.com> wrote in message
    news:bcfd6817-b28e-4c7b-a499-afb4ba55724c@u7g2000yqm.googlegroups.com...
    >but I don’t know how to redirect blocked users to web page
    >information.


    That's because one can't do that with iptables alone. The web server has
    to be able to determine what it will allow and not. MAC addresses
    typically aren't available, so you'll also need an external script run by
    the server.



  3. #3
    Loki Harfagr
    Guest

    Re: Iptables rules – Access by MAC and redirect

    Mon, 11 Jan 2010 13:00:22 -0800, D. Stussy did catÂ*:

    > "Tom Tom" <tomtomlx13@gmail.com> wrote in message
    > news:bcfd6817-b28e-4c7b-a499-afb4ba55724c@u7g2000yqm.googlegroups.com...
    >>but I donÂ’t know how to redirect blocked users to web page information.

    >
    > That's because one can't do that with iptables alone. The web server
    > has to be able to determine what it will allow and not. MAC addresses
    > typically aren't available, so you'll also need an external script run
    > by the server.


    though there could be a quite intricate way to do it based on
    -j DNAT --to $VIRTDOMIP:$VIRTDOMPORT with masquerade and redir rules
    and have a virtual domain that'd only play the blockade info pages.
    But, I'd really recommend to avoid this stuff and do it in the
    application layer :-)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •