# ipset ( mac address match in postrouting )

## dashang

I want to allow MAC address based authentication without ip address.

For that source mac address is match in PREROUTING .

ipset create macbasedusers bitmap:ip,mac range 10.104.1.0/24

ipset add macbasedusers 10.104.1.122,00:19:b9:76:b9:b8 (Currently I have add ip manually for testing).

iptables -t mangle -I PREROUTING -m set --match-set macbasedusers src,src -j ACCEPT

now in POSTROUTING this condition is not match for destination because there is no MAC address match in POSTROUTING its work on ip layer.

But my requirement is to allow flow only based on MAC ADDRESS. I want to create system in only MAC based authentication is there.

So how to match MAC ADDRESS in POSTROUTING.???

----------

## truc

You could probably MARK the packet in PREROUTING and do what you need to do in the POSTROUTING nat chain based on that MARK?

As a side note: mac address are easy to spoof, make sure this is the level of "security" that you want.

----------

