iptables - Filter by MAC on FORWARD chain

linux firewall iptables

Solution 1:

The problem is that while you are allowing packets going from the client to the server, the packets from the server going back to the client will be dropped. They are not handled automatically by the netfilter and need to be allowed explicitly.

Usually, in a restrictive firewall where you only allow certain packets and drop the rest you would use connection tracking to accept return/related packets of known connections:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Note there is no --mac-destination option in the mac match in netfilter - most probably because the MAC address of the destination machine of outgoing packets is not known to netfilter as it is resolved in a lower network layer (layer 2; netfilter operates on layers 3 and higher).

Related

Any way to make service do not autostart in Ubuntu/Debian, but leave K00 scripts in place?
How can I disable Transfer-Encoding: chunked in Apache with HTTP/1.1 responses
Ubuntu resolv.conf, not going to next nameserver?
Latency in TCP/IP-over-Ethernet networks
Unable to force Debian to do unattended install... libc6 wants interactive confirm
Allow Facebook access only in specific hours of the day with squid
What are a regular maintenance you need to perform on your Linux server?
How to view who owns a file?
Custom autoindex pages with nginx
Convey multicast (to another LAN) through WAN disabling multicast
Crontab to restart service
Broke my /etc/sudoers file on amazon EC2