I think you are doing this the hard way. This is what I do and it works just fine (MAC's altered, I control eth[0134] via physical access security i.e. locked room): =============================================== -A FORWARD -i eth2 -j macchk ... =============================================== -A macchk -m mac --mac-source 00:xx:xx:xx:8F:FD -j RETURN ... -A macchk -m mac --mac-source 00:xx:xx:xx:8C:B6 -j RETURN -A macchk -j logmac =============================================== -A logmac -j LOG --log-prefix "PACKET_FROM_MAC_DROPPED " -A logmac -j DROP =============================================== Remove first line of FORWARD (shown above) to remove the restrictions. I have a program generate macchk whenever the database of allowed machines changes. It does this by removing the reference to macchk in the forward change, flushing the macchk chain, rebuilding it (with the logmac reference on the end, and it re-inserts the reference to macchk at beginning of FORWARD.
