Blacklisting MAC addresses, but they still take a DHCP lease

Use ebtables instead of iptables to block MAC addresses at layer 2:

ebtables -A INPUT -s 00:11:22:33:44:55 -j DROP

Although I think using ebtables may be the answer, it's another layer that I did not want to add to my configuration. One of the other techs helped me make a script to parse through the blacklist of IP Addresses, and add them to a new pool, which gives out no IP address whatsover. It takes the regular blacklist (one MAC address per line) that I also spit into iptables, and just creates the new pool.

In my /etc/dhcp/dhcpd.conf file, I create a new class near the top:

class "blacklist" {
    match hardware;
}

In my pools with the "private side of the LAN", I add this:

deny members of "blacklist";

... and at the very end, I added:

include "/etc/dhcp/blacklist.conf";

Then, I create a Python script as per below:

#!/usr/bin/perl

my $if;
my @macs;
my $line = 0;

if ($ARGV[0]) {
    $if = "-i $ARGV[0]";
}

while (<stdin>) {
    $line++;

    next if /^$/;
    next if /^\s*#/;

    chomp;

    if (/^([a-f0-9]{2}((:|-)[a-f0-9]{2}){5})$/) {
        push(@macs, $_);
    }
    else {
        die("syntax error on line $line\n");
    }
}


open(OUT, ">/etc/dhcp/blacklist.conf");
foreach my $i (@macs) {
    $i =~ tr/-/:/;
    print OUT "subclass \"blacklist\" 1:$i;\n";
}
close(OUT);

I save this, then I add the Execute bit with chmod +x /usr/local/sbin/dhcpd-macblock.py, and set a cron job that feeds the blacklist into the script every hour:

cat /etc/blacklist.txt | dhcpd-macblock.py

Every hour, it goes through, creating a new file with all the MAC addresses blocked that I don't want, and they don't even get a DHCP reservation, and my spots are slowly freeing up.