I want to allow MAC address based authentication without ip address.
For that source mac address is match in PREROUTING .


ipset create macbasedusers bitmap:ip,mac range 10.104.1.0/24
ipset add macbasedusers 10.104.1.122,00:19:b9:76:b9:b8 (Currently I have add ip manually for testing).

iptables -t mangle -I PREROUTING -m set --match-set macbasedusers src,src -j ACCEPT


now in POSTROUTING this condition is not match for destination because there is no MAC address match in POSTROUTING its work on ip layer.
But my requirement is to allow flow only based on MAC ADDRESS. I want to create system in only MAC based authentication is there.


So how to match MAC ADDRESS in POSTROUTING.???

I am not sure how to accomplish this goal and I am not sure what your security requirements are, but I will caution you that MAC address is a really poor means for authentication because it is easily spoofed. Using a few commands, it is easy to query MAC addresses associated with an access point and then simply change your MAC address to one of these addresses.

If you really want to filter or allow only certain MAC addresses, why not drop all packets from non white listed MAC addresses at the input instead of trying to filter them at the output of the netfilter chain? If you look at the diagram in figure 14-1 of this link, I think you will see why mac filtering on the postrouting chain doesn't make a lot of technical sense.

1 members found this post helpful.