eth1:localnet eth0:internet
#!/bin/sh
IPT='/usr/local/sbin/iptables'
$IPT -F
$IPT -X
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -N macfilter
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A FORWARD -j macfilter
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
$IPT -A macfilter -i eth1 -s 1.2.3.4 -m macfilter --macfilter-source 00:01:02:03:04:05 -j RETURN
$IPT -A macfilter -i eth1 -s 1.2.4.8 -m macfilter --macfilter-source 00:01:04:04:08:10 -j RETURN
$IPT -A macfilter -i eth0 -m macfilter --macfilter-source 00:0a:bc:dc:ba:98 -j RETURN
$IPT -A macfilter -j LOG --log-prefix "Invalid macfilter "
$IPT -A macfilter -j DROP
阅读(1759) | 评论(0) | 转发(0) |
