One way of limiting which wireless clients can successfully communicate is to limit traffic based on the MAC address of the wireless cards. First, create a chain to hold the MAC filtering rules (place this with the other chain creation commands):

$IPTABLES -N mac_filter

Create a section in the rule file to hold the MAC address related rules. For each MAC you want to be allowed to send traffic from the wireless network, add a rule of the following syntax:

$IPTABLES -A mac_filter -i $INT_WIRELESS -m mac -mac-source 01:01:01:01:01:01  -j 
forward_checks

After all of those rules have been created, three last rules are needed to block everything else that is coming from the wireless network:

$IPTABLES -A mac_filter -i ! $INT_WIRELESS -j ACCEPT
$IPTABLES -A mac_filter -j LOG
$IPTABLES -A mac_filter -j DROP

To insert these MAC filtering rules into the forwarding system we need to replace the existing line:

$IPTABLES -A FORWARD -j forward_checks

with a line that jumps to the MAC filter chain:

$IPTABLES -A FORWARD -j mac_filter

The mac_filter chain will then jump to the forward_checks chain when a matching MAC is found.

Filtering based on MAC addresses is not a perfect security solution. It is very easy to change the MAC address of a wireless card. An attacker can snoop the traffic on the wireless network, learn what MAC addresses are being used successfully, and then change her card to use the discovered MAC. Maintaining the list of allowed MAC addresses for anything but a small network can quickly become overwhelming as well.