iptables - Filter by MAC on FORWARD chain
Solution 1:
The problem is that while you are allowing packets going from the client to the server, the packets from the server going back to the client will be dropped. They are not handled automatically by the netfilter and need to be allowed explicitly.
Usually, in a restrictive firewall where you only allow certain packets and drop the rest you would use connection tracking to accept return/related packets of known connections:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Note there is no --mac-destination
option in the mac
match in netfilter - most probably because the MAC address of the destination machine of outgoing packets is not known to netfilter as it is resolved in a lower network layer (layer 2; netfilter operates on layers 3 and higher).