Okay, this is painful. Let's get a few things straight.
1. MAC Addresses are unique to a single NIC: TRUE.
2. MAC Addresses are necessarily unique to communications from a single machine: FALSE.
3. IP Addresses cannot be spoofed or manipulated: FALSE.
Look, if you want to implement a whitelist you need to recognize that it's not an absolute defense. Smart people (or skids who know how to find a couple of handy tools which will remain unnamed) can get around whatever you build. If you can keep out 99.9% of attackers, that's a good day.
To feed hungry's laser focus on implementation, I suggest the following: Write a short addition to your firewall or other interposing device (Heck, even FL Server if it has a means to do this) which matches sha1(concat([User's IP], [User's MAC], [User's FL Account ID])) against a value stored in the whitelist implementation of your choice (I hope you have a pretty badass firewall.)
And that'd work pretty well, but the big failure point is that new users would have to apply for admission to the server. No doubt this would have severe ramifications for the playerbase size. But hey, at least everybody online would be a Diehard FL RP fan, right?