MAC Address Filtering with iptables

In the Layer 2 world, systems are uniquely identified by their MAC addresses, which might look something like this: 00:90:F5:1E:30:D0. iptables can be used at Layer 2, just like ebtables, specifically for filtering out MAC addresses. You might want to do this because you are running a transparent firewall and your users have dynamically assigned IP addresses. Filtering purely on the IP address (Layer 3) might not be particularly effective due to the fact that these IP addresses are ever changing. (Note: MAC addresses can be changed toothis is not a silver bullet!)

In the event that you need to filter out MAC addresses either destined to or passing through the firewall (presumably in a bridging configuration), one recommended method is to combine your filter rules into one common user defined chain, as follows:

 $IPTABLES -N MACFILTER $IPTABLES -A MACFILTER -m mac \         --mac-source 00:11:22:33:44:55 -j ACCEPT $IPTABLES -A MACFILTER -m mac \         --mac-source 00:11:22:33:44:11 -j ACCEPT $IPTABLES -A MACFILTER -m mac \         --mac-source 00:11:22:33:44:22 -j ACCEPT $IPTABLES -A MACFILTER -m mac \         --mac-source 00:11:22:33:44:33 -j ACCEPT $IPTABLES -A MACFILTER -j DROP 

To filter out MAC addresses destined to your firewall, you would apply this user-defined rule to the INPUT chain:

 # eth0 assumes that the source of the MAC addresses being filtered are coming #from the eth0 interface physically $IPTABLES -A INPUT -i eth0 -j MACFILTER 

To filter out MAC addresses passing through your firewall, you would apply this rule to the FORWARD chain:

 # eth0 assumes that the source of the MAC addresses being filtered are # coming from the eth0 interface physically $IPTABLES -A FORWARD -i eth0 -j MACFILTER 

Note

If you're trying to filter out DHCP requests, this is not the way to do it! See the next section.