At my workplace, we have a Public Wifi network, as well as our Private Wifi network. The Private side has access to see other computers, the printers, servers, and access to the Internet. On the Public side, the users need to authenticate with a captive portal with a username/password combo from our server (for our staff's personal devices only).
The key has been leaked long before I came to this job, and I have most things cleaned up. I have scripts (written by other team members, not myself!) that go through the DHCP leases on Debian Wheezy, and spit out the manufacturer, the DNS name, IP Address, and the MAC address of all the devices the DHCP server interacts with. With these scripts, I can create a blacklist of MAC addresses and iptables blocks them for me. I update /etc/blacklist.txt, and when iptables starts, it executes iptables -A INPUT $if -m mac --mac-source $i -j DROP (with $i being read from the file).
This will prevent their device from connecting to our network resources, and to the Internet. Unfortunately, it does not take effect until after the device has gotten an IP address from isc-dhcp-server. So, my issue is, how can I prevent them from even getting an IP address assigned to them? Yes, I know they could just assign themselves a static IP address and bypass the DHCP server, but I still want iptables to block them, based on their (hopefully non-changing) MAC address. Yes, I know I could increase the range on my DHCP server, but I want management to realize the struggle with managing the privately-owned devices taking up our work resources by connecting and bypassing our captive portal.
One solution (well, partial) that someone thought up was to create a blackhole class in my /etc/dhcp/dhcpd.conf file, and fill it with the MAC addresses of the devices I don't want connecting. This would work, but requires updating the MAC addresses in multiple places, which I don't want. I want to be able to update the MACs in one file, and then possibly run a script that will add the changes to my DHCP file, and my iptables rules.
Best Answer
Use
ebtablesinstead ofiptablesto block MAC addresses at layer 2: