using iptables to reject mac address
 

Hello LQ,

I would like to block all traffic to a server by mac address and only allow access by one mac address. I understand mac addresses can be spoofed but would some below do the trick:

iptables -A INPUT -i eth0 -m mac --mac-source 00:17:A4:A0:AA:AA -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT

Blocking by Mac is typically a sign of bad network design (why are there servers you don't trust connected to the same subnet?) Or a misunderstanding of the role of layer 3 routers (Mac addresses do not pass through them, it is changed to the routers Mac when it hits it) .

But if either of those are not relevant it looks fine to me.

This is fine within the same subnet but if it is routed outside that the mac address of the router is used correct?

Yep. Mac is layer 2 data so does not leave the subnet.

If I had another machine on a different subnet or even outside with a dynamic ip address what would you suggest to secure it access to this "somewhat locked" machine?

You've said nothing useful at all about what secure access means here. Maybe some mutual SSL requirements, or insist on access via SSH tunnels using preshared key.