In this article, I will show examples of blocking MAC addresses in IPTables.
Let’s say you need to block incoming connections to the server for a specific MAC address, I’ll give an example of a rule:
iptables -A INPUT -m mac --mac-source 04:18:d6:52:1d:71 -m comment --comment "Example_ixnfo_com" -j DROP
If the server is used as an access server, for example, for NAT, etc., then you can prohibit the transmission of packets with a specific MAC address:
iptables -A FORWARD -m mac --mac-source 04:18:d6:52:1d:71 -m comment --comment "Example_ixnfo_com" -j DROP
To remove a rule, just replace -A with -D, for example:
iptables -D FORWARD -m mac --mac-source 04:18:d6:52:1d:71 -m comment --comment "Example_ixnfo_com" -j DROP
Similarly, you can not block, but allow access, I will give examples of how to allow SSH access for a specific MAC address:
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 04:18:d6:52:1d:71 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m mac --mac-source 04:18:d6:52:1d:71 -j ACCEPT
In this case, it means that the default policy for all incoming connections is DROP (during the initial remote configuration, you must write all the rules in a script and then execute it so as not to lose access to the server):
iptables -P INPUT DROP
Or you need to add a deny rule after the allow rules, when adding new allow rules, you need to remove the deny rule and add it so that it is the last one again, for example:
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 04:18:d6:52:1d:71 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --destination-port 22 -j DROP
See also my articles:
How to configure IPTables
IPTables quick setup script