Source MAC

iptables -A INPUT --match mac --mac-source 12:E4:86:FA:5C:54 -j ACCEPT

Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

This options is very useful for protection against man-in-the-middle attacks, because it is possible to combine it with the --source option and so protection against arp-spoofing may be provided.