iptables open port by MAC address

[azenz]

I have a DSL account with changing IP addresses, so I want to use the MAC filtering for allowing access only to my MAC address.

I want to block access to 3306 mysql on the server for all except myself:

Code:

iptables -A INPUT -p tcp --destination-port 3306 -j DROP
iptables -I INPUT -i eth0 -p tcp --destination-port 3306 -m mac --mac-source 00:30:1b:bd:76:c8 -j ACCEPT

NOTE: I don't want to block everything as a rule.

iptables -L -v output on the server:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql MAC 00:30:1B:BD:76:C8
DROP tcp -- anywhere anywhere tcp dpt:mysql

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

But access to mysql fails now (it worked before without iptables rules):

ubuntu$ mysql -h xxxxxx -u root
ERROR 2003 (HY000): Can't connect to MySQL server on 'xxxxxx' (110)

Any ideas what is wrong, or alternative ways of achieving this?

[wszachau]

This will only work if the client connects directly to the server, i.e. with no routers in between, because only then the MAC address of the packets arriving at the server will be the MAC address of the sending client. As soon as there are routers in between, the server will see the MAC address of the last router.

Read up on IP networking.