> if it can filter on source MAC addresses, why can't it filter on destination > MAC addresses? Destination MAC addresses are potentially unknown until after an ARP reply has been received. All iptables processing has already been done before an ARP request is even sent... best regards Patrick