In a Local Area Network (LAN), sometime you need to divide policy access based-on IP Address. For example, only specific IP addresses can access the web, email, FTP, facebook and so forth. Others will be dropped.

To make this policy run properly, the clients must be using fixed/static IP address.
But it often happen that there are one or more naughty clients that trying to change their IP address to get more access.

As a system administrator, you will not want this thing happen.

We can prevent their illegal IP address by using iptables. The scenario is by blocking unmatched IP address and MAC address combination. Below is a sample iptables rule:

iptables -A INPUT -s 172.16.0.233 -i eth0 -m mac ! --mac-source 00:1A:92:CB:E1:80 -j DROP

The iptables rule above will block the use of IP address 172.16.0.233 that not match with the MAC address as specified in the –mac-source option. Change the ‘eth0′ to meet your ethernet interface facing to internal LAN.