What is the best way of doing mac based filtering on the LAN ports? This is more specifically to create an "allow list" of MAC Addresses to control access between LAN ports and the WAN port as the traffic has to go through the router. (no wireless is involved)
While it's easy to change MAC address on a client, it wouldn't work if there's an explicit "allow list".
Can it be done using ip tables or is there a better way?
It's rather easy to sniff the mac addresses that exist in the network and spoof them. If the switch doesn't support some port-security features, you are basically vulnerable to any malicious user.