Using Ipset and Iptables for MAC address filtering

Question

I use MAC address filtering on my Linux router. Here is what I have done:

iptables -A INPUT -i eth5 -m mac --mac-source 00:07:e9:84:2b:99 -j RETURN #User: Someuser
iptables -A INPUT -i eth5 -j DROP

But the Iptables rule list is huge with more than 400 entries. Recently I read about the advantages of using Ipset with Iptables here. But nowhere I have found any howtos about doing same thing with MAC filtering. So how can I use Ipset for MAC filtering in order to reduce the size of Iptables rule table.

score 2 · Answer 1 · answered May 08 '12 at 05:41

Basically something like this, but you have to associate an IP with a MAC, pure MAC sets do not seem to exist:

# ipset --create test macipmap --network 10.0.0.0/16
# ipset --add test 10.0.0.1,00:11:22:33:44:55
# iptables -A INPUT -i eth5 -m set --match-set test src -j ACCEPT

Here, you see the content of the map and the reference-counter indicating an iptables rule referencing this set:

# ipset -L test
Name: test
Type: macipmap
References: 1
Header: from: 10.0.0.0 to: 10.0.255.255
Members:
10.0.0.1,00:11:22:33:44:55

There are some things to consider:

That type of set is technically restricted to 64k consecutive addresses (not sure whether they have to be "subnet-aligned"), found it here
Your kernel has to support ipset, most common standard distribution kernels unfortunately do not
You could set static ARP alternatively
MAC addresses can be spoofed easily

Found out today, that ipset has been added to the vanilla kernel since 2.6.39! — Michuelnik, May 11 '12 at 05:38

Using Ipset and Iptables for MAC address filtering

1 Answers1