I want to block some MAC's from my LAN network such that they cannot access the internet.. I tried the following

iptables -I INPUT -p tcp --dport 80 -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP
but this didnt work out..

As v know, MAC protection will only work with
PREROUTING
FORWARD
INPUT
chains, and I must use OUTPUT chain for the requests going out, I m not able to figure out how to do it!!

Someone pls help!!!

Thanks..

Well that rule will drop any packets from the specified mac address destined for the host itself..

If you are intending to run this rule on a gateway, and you intend to stop all unspecified mac addresses (as indicated by the "!") within the lan, from using port 80, then you will probably want it in the FOWARD chain.

http://www.linuxhomenetworking.com/w...Using_iptables
is worth the read for understanding the way a packet will traverse the iptables chains.

Well Fukawi, that's the problem I m facing.. I want to limit some MAC addresses to access the outside world rather than limiting the outer MAC's from accessing mine!!!!

And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem....

If possible, u may write the rule u r referring to..

Thanks..

you might want to look at ebtables for this instead of iptables.

Ok, firstly, MAC addresses dont transcend subnets.
So anything packets coming from the internet cant be matched by mac address..

Secondly, I really suggest looking at the flowchart and table in the link i posted above. Which accurately describes the flow of packets through the iptables chains, as well as what each chain is used for..

Thirdly, as an example, i use MAC filtering for my wireless LAN.

I then have a catch all drop policy
(note: I have my set up a little different to what i see most people use, so ive modified this for a more normal setup, but it should give the general idea.. )

This will ACCEPT any packets with a mac source as stated, on the stated ports, and drop everything else..

I can't understand what you are trying to say here...