# IPSet + IPtables MAC Address filter

## JujuBickoille

Hello everybody,

I wish to make a filter on my network with mac address.

I got 2 ways : 

iptables -t filter -A INPUT -i ${WIFI_IFACE}  -m mac  ! --mac 00:17:00:AA:00:AA -j DROP

It's nice and it work, but I wish use ipset with macipmap, because I think it's better when you got multiple mac to filter, so I've make it :

# Flush time

iptables -t filter -F

ipset -X grantedmac

# Add my allowed mac

ipset -N grantedmac bitmap:ip,mac --network 192.168.1.0/24

ipset add lan_clients 192.168.1.12,00:17:00:AA:00:AA

# Filter other

iptables -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src -j LOG --log-prefix "Not Granted MAC "

It seem to be easy, but it don't work : 

When I try to connect with my granted computer, I got the message. If I connect ungranted, I got message same

[  997.157185] Not Granted MAC  IN=wlan0 OUT= MAC=00:17:00:aa:00:aa:00:41:f4:8b:0e:53:08:00 SRC=192.168.1.12 DST=192.168.1.4 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=65149 DF PROTO=TCP SPT=22 DPT=36719 WINDOW=384 RES=0x00 ACK PSH URGP=0 

I don't know where I'm wrong, maybe someone got ideas

Thank you so much in advance

Best regards

JujuBickoille

----------

## Bones McCracker

You are adding your data to some ipset named "lan_clients", but the ipset you are matching against is named "grantedmac".

----------

## JujuBickoille

Okay, I've found why it doen't work :

${IPTABLES} -t filter -A INPUT -i ${WIFI_IFACE} -m set ! --match-set grantedmac src,src -j LOG --log-prefix "FORBIDDEN MAC "

you need to set "src,src" in place of "src" only

----------

