Iptables – Redirect except list MAC Address

iptablesnetworkingrouter

I'm using iptables on my router to redirect all web traffic to my page.

But i don't know how to except my mac address list.

I did command like this

iptables -t nat -A PREROUTING -m mac ! --mac-source xx-xx-xx-xx-xx-xx -p tcp --dport 80  -j DNAT --to 127.0.0.1:8080 (Host A)
iptables -t nat -A PREROUTING -m mac ! --mac-source xx-xx-xx-xx-xx-xx -p tcp --dport 80  -j DNAT --to 127.0.0.1:8080 (Host B)

But it just execute command for host A. It means Host A can access web normally but Host B still got redirect.

How can i got access normally for both mac address?

Best Answer

Your are getting this problem as your are using !. Say, one request comes and if mac address of coming host in that is other than mac address of host A, it will be redirected. And hence it is also being redirected for host B. And your second rule will never be executed.

So the solution for, how to except my mac address list?

Jump to one custom chain

iptables -t nat -N accept_my_mac_set
iptables -t nat -A PREROUTING -j accept_my_mac_set
iptables -t nat -A PREROUTING -j DNAT --to 127.0.0.1:8080

Accept your mac set in accept_my mac_set otherwise return from accept_my_mac_set chain and redirect all traffic

iptables -A accept_my_mac_set -m mac --mac-source xx-xx-xx-xx-xx-xx, xx-xx-xx-xx-xx-xx -p tcp --dport 80 -j ACCEPT  
iptables -A accept_my_mac_set -j RETURN

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux – Forward HTTP Traffic to Another IP Address with iptables

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Linux – Forward HTTP Traffic to Another IP Address with iptables

Related Topic