Allowing access only some sites - onely some mac address

Derick Anderson danderson at vikus.com
Tue Aug 30 16:44:14 CEST 2005


 

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org 
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
> Jiann-Ming Su
> Sent: Tuesday, August 30, 2005 9:50 AM
> To: netfilter at lists.netfilter.org
> Subject: Re: Allowing access only some sites - onely some mac address
> 
> On 8/29/05, Sebastião Antônio Campos (GWA) 
> <sa.campos at datasulsp.com.br>
> wrote:
> > 
> > Dears,
> > 
> > I'd like to allow access only to some sites by some mac address.
> > 
> > For example:
> > 
> > I have a list of the mac address 00:0c:6E:11:E8:B0, 
> 00:D8:02:D8:C8:DF, 
> > 00:E7:05:C9:07:EA............ and and I'd like that only these mac 
> > address could access only the following IP: 200.221.2.128 
> > <http://200.221.2.128>,
> > 200.221.2.129 <http://200.221.2.129>,
> > 200.221.2.130 <http://200.221.2.130>, 200.221.2.131 
> > <http://200.221.2.131>,
> > 200.205.144.75 <http://200.205.144.75>, 
> 200.205.144.76<http://200.205.144.76>. 
> > But the other
> > mac address could access everything.
> 
> 
> 
> IIRC, MAC addresses (layer 2) do not go beyond the router 
> (layer 3). I think you can only do what you are proposing if 
> all your boxes are behind the same broadcast domain.
> 
> --
> Jiann-Ming Su
> "I have to decide between two equally frightening options. 
> If I wanted to do that, I'd vote." --Duckman
> 

That is correct. When a packet passes through a router, it comes out the other side with the router's MAC, not the original computer's MAC. I imagine there's an RFC that goes along with this but I discovered it using MAC filtering on an iptables firewall about a year ago.

Derick Anderson



More information about the netfilter mailing list