Iptables MAC Address Filtering

by NIX Craft on December 27, 2005 · 30 comments· LAST UPDATED December 15, 2010

in Iptables

LAN or wireless access can be filtered by using the MAC addresses of the devices transmitting within your network. A mac address is acronym for media access control address, is a unique address assigned to almost all-networking hardware such as Ethernet cards, routers, mobile phones, wireless cards and so on (see mac address at wikipedia for more information). This quick tutorial explains how to block or deny access using MAC address using iptables - Linux administration tool for IPv4 packet filtering and NAT.

Linux Iptables comes with the MAC module. This module matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the following chains:

1. PREROUTING
2. FORWARD
3. INPUT

Examples: Access Restrictions Using MAC Address

Drop all connection coming from mac address 00:0F:EA:91:04:08 (add the following command to your firewall script):

 
/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
 

Allow port 22 from mac address 00:0F:EA:91:04:07:

 
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
 

You can also use the interface name such as eth1:

 
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
 

You can also use FORWARD chain:

 
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT
 

You can also use NEW and other supported states as follows so that a known MAC address can be forwarded:

 
/sbin/iptables -A FORWARD -m state --state NEW -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT
 

How Do I Skip Certain MAC Address?

Use the following syntax:

 
/sbin/iptables -A INPUT -p tcp --dport PORT -m mac ! --mac-source MAC-ADDRESS-HERE-TO-SKIP -j DROP
### Drop ssh access to all except our own MAC Address ###
/sbin/iptables -A INPUT -p tcp --dport 22 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP
### Save rules ###
/sbin/service iptables save
 

The ! symbol means NOT. Your firewall will DROP packets destined to port 22 so long as they do NOT originate from your own computer with the desired MAC address.

Protecting MAC Address Spoofing From a Trusted Systems

Malicious user can spoof their MAC address with a trusted systems. To stop this kind of attacks use VLANS and/or static ARP entries.
See iptables man page for more information:
man 8 iptables