for f in `cat /etc/dnsmasq.conf \
| grep ^dhcp-host \
| grep [0-9a-fA-F]:[0-9a-fA-F] \
| sed 's#=# #g' | sed 's#,# #g' \
| awk '{print $2};'`; do
echo $f
iptables -A INPUT -p UDP --source-port bootpc \
-m mac --mac-source "$f" -j ACCEPT
done


$ iptables -A INPUT -p udp \
--source-port bootpc -j REJECT --reject-with icmp-host-prohibited

$ iptables -nvL
....
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:F0:4D:BCE:B0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:F1:2D:EC:F1:63
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:FC:2D:1C:91:70
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:FC:2E:BC:E5:49
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:F4:8E:8C:A9:39
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:FC:2E:BC:58:6D
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:68 reject-with icmp-host-prohibited