1

I'm building a captive portal (yeah, just-another ;) ) and now I'm trying to handle the core feature, the iptables rules.  Based on ipset I have a list of valid mac-addresses with name allow-mac.  So this is the current config (stripped to the problem itself):

echo 1 >/proc/sys/net/ipv4/ip_forward

ipset create allow-mac hash:mac counters
ipset add allow-mac XX:XX:XX:XX:XX:XX

IPT="/usr/sbin/iptables"

WAN="eth0"
LAN="eth1"

$IPT -P FORWARD DROP
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPT -I FORWARD -i $LAN -m set --match-set allow-mac src -j ACCEPT

This should work but it didn't! so, if I change the default FORWARD chain to ACCEPT and change the rule to the inverse:

$IPT -P FORWARD ACCEPT
$IPT -I FORWARD -i $LAN -m set ! --match-set allow-mac src -j DROP

I have the desired result, and only clients with known MAC-address in list can forward.

So my question, why is it not working in the first setup? And my second missing feature is, if the counters module is already added, but now the "upload" traffic from client is counted, how can (in a separated counter) I also count the download traffic as well?

Improve this question

1 Answer 1

Reset to default
0

In the first ruleset, you only allow outgoing traffic as you specified -i $LAN: so the reply will be filtered out. It will probably work simply by removing -i $LAN` ?

But in this case the whole traffic will be counted (upload + download) If you want to count separately upload and download, you'll probably have to create two marking policy:

  • one for the upload, where src mac is marked
  • one for the download, where dst mac is marked.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.