# [SOLVED] iptables w/mac filtering question

## ccosse

Hi, Could someone please tell me what I'm doing wrong?  Below is my simple iptables configuration ... I'm trying to do forwarding through a homemade hotspot.  Clients connect on wlan3 and gateway to WAN is eth0.  I want to drop everyone except the indicated MAC.  But it doesn't work and I don't see why!?!?!

```

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

-A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

```

Thank you for any help!

EDIT: Solution (sort-of) is to add the line:

iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j ACCEPT

----------

## truc

 *Quote:*   

> DIT: Solution (sort-of) is to add the line: 
> 
> iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j ACCEPT

 

It is actually the right solution, you can skip the -s 0/0 part, add the RELATED state (think icmp error message, ftp...) and also you can start using the (new) shiny conntrack module instead of the g'old state one:

```
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
```

----------

## ccosse

Truc, 

just posting a Thank You for responding to my post.  I've implemented your suggestions and they are working well. Thank you!

-CC

----------

