MAC based filtering on LAN


What is the best way of doing mac based filtering on the LAN ports? This is more specifically to create an "allow list" of MAC Addresses to control access between LAN ports and the WAN port as the traffic has to go through the router. (no wireless is involved)

While it's easy to change MAC address on a client, it wouldn't work if there's an explicit "allow list".

Can it be done using ip tables or is there a better way?

you could try something like this.

# /etc/firewall.user
mac_filter() {

  iptables -A forwarding_lan_rule -m mac --mac-source aa:bb:cc:dd:ee:ff -d -j ACCEPT -m comment --comment "user_a"
  # or
  iptables -A forwarding_lan_rule -m mac --mac-source 11:22:33:44:55:66 -m limit --limit 5/s -j ACCEPT -m comment --comment "client_b"

  # --block-all
  iptables -A forwarding_lan_rule -j DROP -m comment --comment "last"

1 Like

It's rather easy to sniff the mac addresses that exist in the network and spoof them. If the switch doesn't support some port-security features, you are basically vulnerable to any malicious user.


Makes sense, thanks for pointing out.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.