iptables, allow access from certain MAC addresses

Solution 1:

Iptables has a mac module. You can use it like this:

/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

nixCraft has an extensive guide on how to create filter rules based on mac addresses.

But this only works on the same network, as MAC addressing is link-layer specific and won't get forwarded when using routing. So, as long as the devices are on different networks that need routing, this won't work.

Solution 2:

You can't do this because MAC addresses aren't available to you for connections that have traversed the internet.

To do what you want it would be much safer to setup a VPN and only allow connections via that to your critical infrastructure. If you can't do that then you could try setting up some sort of two factor authentication.

If you really are stuck with just iptables then you may get by with port knocking. There appears to be a fairly good tutorial on this in the Arch Linux wiki but heed the warning and don't use the example ports/sequence in your environment.

A combination of the above would techniques be even better.