NAT mac filter
After you'll have the nat set up and running, you'll probably want to restrict users to their ip/mac.
There are 2 types of firewalls:
1) ACCEPT everything and drop whatever you want
2) DROP everything and accept whatever you want
I'm going to use the latter because who knows what rule I might forget to DROP.
1) SET DROP as being implicit
iptables -P FORWARD DROP
2) You want to accept related and established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
3) Allow NEW connections only from who you know/want
iptables -A FORWARD -m state --state NEW -s 192.168.10.2/32 -m mac --mac-source 00:C0:CA:22:95:D3 -j ACCEPT
4) THE END. Enjoy.