Iptables MAC Address Filtering

LAN or wireless access can be filtered by using the MAC addresses of the devices transmitting within your network. A mac address is acronym for media access control address, is a unique address assigned to almost all-networking hardware such as Ethernet cards, routers, mobile phones, wireless cards and so on (see mac address at wikipedia for more information). This quick tutorial explains how to block or deny access using MAC address using iptables – Linux administration tool for IPv4 packet filtering and NAT.

Linux Iptables comes with the MAC module. This module matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the following chains:

Advertisement

  1. PREROUTING
  2. FORWARD
  3. INPUT

Examples: Access Restrictions Using MAC Address

Drop all connection coming from mac address 00:0F:EA:91:04:08 (add the following command to your firewall script):

/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

Allow port 22 from mac address 00:0F:EA:91:04:07:

/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

You can also use the interface name such as eth1:

/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

You can also use FORWARD chain:

/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT

You can also use NEW and other supported states as follows so that a known MAC address can be forwarded:

/sbin/iptables -A FORWARD -m state --state NEW -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT

How Do I Skip Certain MAC Address?

Use the following syntax:

/sbin/iptables -A INPUT -p tcp --dport PORT -m mac ! --mac-source MAC-ADDRESS-HERE-TO-SKIP -j DROP
### Drop ssh access to all except our own MAC Address ###
/sbin/iptables -A INPUT -p tcp --dport 22 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP
### Save rules ###
/sbin/service iptables save

The ! symbol means NOT. Your firewall will DROP packets destined to port 22 so long as they do NOT originate from your own computer with the desired MAC address.

Protecting MAC Address Spoofing From a Trusted Systems

Malicious user can spoof their MAC address with a trusted systems. To stop this kind of attacks use VLANS and/or static ARP entries.

See iptables man page for more information:
man 8 iptables

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

38 comments… add one
  • raj Jun 17, 2010 @ 10:59

    Hi,

    I want to block all MAC address except 1. Any clue.

    I do not want to block TCP or UDP Traffic at all.

    Thanks

  • Andy Apr 8, 2011 @ 18:59

    Can I use this tutorial to create a MAC filter between a wireless network switch and the core? I need access to the network resources so I can’t use a router. What would you suggest?

  • Madhab Jun 6, 2011 @ 14:28

    Hi,

    I wanna block internet some computer PC with mac address which rule can do it

  • Jim Aug 26, 2011 @ 21:41

    Is it possible to block all MACs except a range? For example, I want to allow all devices from a specific manufacturer such as 11.22.33.00.00.00 through 11.22.33.FF.FF.FF?

  • Dert Oct 22, 2011 @ 1:07

    Jim, i think no because i haven’t found in man special mac-adress diapason system support (like for IP-adresses)

  • Willy Oct 3, 2012 @ 9:04

    Hi,
    someone knows why that command:

    iptables -A INPUT -i eth0 -p tcp –dport 1234 -m mac –mac-source XX:XX:XX:XX:XX -j ACCEPT

    works properly in a pc with iptables 1.4.4 and it give me this error:

    iptables: No chain/target/match by that name.

    on a pc with iptables 1.4.12.1


    Willy

  • dp022 Jan 24, 2013 @ 9:09

    Hai,

    Can anyone let me know how to block all the mac addresses except two mac addresses in the linux server..

  • Tom Boland Jun 24, 2013 @ 17:19

    Warning on trying to use –mac-source when on a VM instance: It may not work.

    For instance, in Hyper-V , the VM host machine’s IP address for the switch is what will *always* show as the source mac address, rather than the true mac address.

    It may also be true for VMware, depending on configuration of the switch on the host.

  • John Nov 26, 2014 @ 19:04

    Thanks for this post. I don’t really see this anywhere else in the IPTables documentation, though I could be missing it.
    I wish a –match mac –mac-destination xx:xx:xx:xx:xx:xx had been implemented. It wouldn’t really stop a Man-in-the-Middle (MITM) attack but it would serve as a deterrent.
    If one fails (maybe just forgets) to implement a prohibition on source routing (i.e. on a new install), it would be possible to source route (or partially source route) even an non-route-able packet to a destination in a LAN, ostensively from the IPTables protected host, and then to respond to that opened pinhole (related connection) in the IPTables firewall. I presently see rogue hosts, which are NOT DNS servers, sending unsolicited DNS responses (UDP/TCP port 53) to various hosts on my LAN (as well as faux ICMP responses) to try to open that pinhole to respond to. The ploy is almost as prevalent as MITM attacks, though, since it’s really difficult to detect good MITM attacks, how many MITM attacks can really be identified?

  • mahesh deshmukh Dec 2, 2014 @ 5:59

    by using the above commands i’m getting the following error..
    iptables v1.4.12:ether
    can any1 help pls?

  • Helipil0t Oct 26, 2015 @ 19:29

    I’m having a hard time getting a simple iptable working for mac filtering. I’m using the following:

    iptables -I FORWARD -m mac --mac-source XX:XX:XX:XX:XX:01 -j ACCEPT
    sudo iptables -A FORWARD -j DROP
    
    Which give me the following table:
    Chain FORWARD (policy ACCEPT 322 packets, 181K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1      342 21034 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:01
    2      490 28916 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
    

    This SHOULD allow the mac address full access.. But all packets are still being dropped. The client has no access to the internet. Can anyone help me out. What am I doing wrong? This is on DD-WRT. Thanks

  • devoarabawy@gmail.com Aug 4, 2016 @ 9:32

    [root@localhost ~]# iptables -A INPUT -i enp0s25 -p tcp –destination-port 22 -m mac –mac-source 14-58-D0-B7-2C-A7 -j ACCEPT
    iptables v1.4.21: ether
    Try `iptables -h’ or ‘iptables –help’ for more information.
    [root@localhost ~]#

    • Nerus Sep 18, 2016 @ 19:48

      Wrong format: 14-58-D0-B7-2C-A7
      Need to be in 14:58:D0:B7:2C:A7

  • JOEL AGUSTIN SANCHEZ BALTAZAR Jan 17, 2017 @ 2:50

    This works only in a LAN enviroment or in a internet public webserver?

  • Mani Feb 21, 2017 @ 3:00

    i want to write a rule in IPtable so that i can any single MAC address to telnet on port 2333. any suggestions??

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.