I have a linux machine (my workstation). From there I can ping other local machines, let's say 192.168.1.22. Let's say I want to prohibit communication with 192.168.1.22 by it's MAC address. I'm trying a simple rule:
ebtables -I INPUT -s 00:24:1d:c9:0a:27 -j DROP
But still I can ping that host. Is ebtables limited to filtering traffic only on bridge interfaces?
Yes, ebtables only acts on frames traversing bridge interfaces. You can, however, do a nice layering violation and use the -m mac --mac-source iptables option.
Whenever I'm doing anything at all complex with netfilter I keep this diagram close to hand: http://jengelh.medozas.de/images/nf-packet-flow.png
Thor, what you suggest is correct and is working. I justed tested it.
You may need to update the routes by replacing bridged interfaces with the bridge interface itself, to make sure you're not bypassing the bridge.