-1

Ok, I'm working with an OpenWRT router. I have the following iptable rules:

iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 80 -j DNAT --to-destination $3:80;
iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 443 -j DNAT --to-destination $3:80;

These rules effectively redirect traffic on ports 80 and 443 to a specific destination ip address for a specific requesting MAC address. I'd like to add another rule (or set of rules if necessary) that will drop traffic on all other ports for this specific MAC without breaking these 2 rules.

My version of iptables is: v1.4.10

Any pointers would be greatly appreciated!

EV

exvance
  • 1,339
  • 4
  • 13
  • 31

1 Answers1

0
iptables -t nat -A prerouting_rule -m mac --mac-source $2 -j DROP

generally: use -A instead -I, append is more "human"

edit:

you should filter out pacakages in the filter tables ;)

iptables -A FORWARD -m mac --mac-source $2 --dport 80 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 --dport 443 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 -j DROP

i forgot that not all tables can do anything...

Zoltán Haindrich
  • 1,788
  • 11
  • 20
  • When I tried adding this rule I got this output: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. – exvance Jul 20 '13 at 06:33
  • Does it matter what order my rules are created? – exvance Jul 20 '13 at 12:40
  • When I try to enter these rules I get this: iptables v1.4.10: unknown option `--dport'. Is the --dport option only available with the prerouting_rule table? – exvance Jul 20 '13 at 12:55
  • It seems like it wants the -p protocol to be specified. But I want the rule to apply to all protocols. – exvance Jul 20 '13 at 13:13
  • Ah, ok, adding "-p tcp" to the 2 accept rules allows me to enter these rules. However, I don't think it did what I wanted it to do. :-( After adding those I was still able to ssh and ftp from the mac specified. I had hoped that DROP would prevent me from doing anything over the internet. Did I misunderstand what DROP would do? – exvance Jul 20 '13 at 13:23