Configure MAC based Filtering using Iptables in Linux

Security of data always have in top of priorities for systems administrator’s. Systems admin’s always tries to keep all the ports close for public used which is not required. But some times we are in require to allow some of our external users or clients to server via remote login. In that case we need to open firewall ports. Generally we use IP addresses to allow/deny a client via iptables, but it’s not necessary that each client has static ip on their side. In that case its hard to open port time to time for their ips. In this situation we can use MAC based filtering in iptables as we know that MAC addresses are fixed and can’t be changed. MAC addresses are also knows as physical/hardware address of network interface card.

Iptables has a module, which provides mac based filtering of packets on specific ports. This article will help you to how to configure iptables to filter traffic based on MAC addresses.

1. Allow Full Access to specific MAC

Below command will allow all ports access to system having physical address 3E:D7:88:A6:66:8E.

# iptables -I INPUT -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT

2. Allow/Deny SSH Access to Specific MAC

Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.
To allow:

# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j ACCEPT

To Deny:

# iptables -I INPUT -p tcp --dport 22 -m mac --mac-source 3E:D7:88:A6:66:8E -j REJECT

3. Restrict SSH to Everyone Except Specific MAC

Below command will allow ssh access ( port 22) to system having physical address 3E:D7:88:A6:66:8E.

# iptables -I INPUT -p tcp --port 22 -m mac ! --mac-source 3E:D7:88:A6:66:8E -j REJECT

References:
About MAC Address: http://en.wikipedia.org/wiki/MAC_address
For Iptables: http://en.wikipedia.org/wiki/Iptables