MAC Filtering with Netfilter
Keep unwanted machines off your network with MAC address whitelisting
Media Access Control (MAC) address filtering is a well-known method for protecting wireless networks. This type of filtering works on the default deny principle: you specify the hosts that are allowed to connect, while leaving unknown ones behind. MAC addresses are unique 48-bit numbers that have been assigned to every Ethernet device that has ever been manufactured, including 802.11 devices, and are usually written as six 8-bit hexadecimal digits separated by colons.
In addition to Linux’s native IP packet filtering
system, Netfilter also contains MAC address filtering functionality.
While many of the wireless access points on the market today already
support this, there are many older ones that do not. MAC filtering is
also important if your access point is actually the Linux machine
itself, using a wireless card. If you have a Linux-based firewall
already set up, it’s a trivial modification to
enable it to filter at the MAC level. MAC address filtering with
iptables is very much like IP-based filtering,
and is just as easy to do.
This example demonstrates how to allow a particular MAC address if your firewall policy is set to DROP [Hack #33] :
iptables -A FORWARD -m state --state NEW \ -m mac --mac-source 00:DE:AD:BE:EF:00 -j ACCEPT
This command will allow any traffic sent from the network interface
with the address 00:DE:AD:BE:EF:00. Using rules like this one along with a default ...