I'll repeat ... 'networking comes before application.' Moodle is an application ... so if trying to do this with Moodle, undesired network traffic has already reached the server. If you did anything at application layer it would have to be your web service ... which serves moodle.
A huge list of allowed IP addresses in an .htaccess file IF using apache.
Yes, you know about MAC addresses and the fact they are supposed to be unique to a device ... no 2 the same on entire internet. Here again ... that's at the network layer ... not at the application layer.
Students using a smart phone could have their phone connect to local lan ... thus the IP address shown to the moodle is the same IP address as their computer would show. But, student could opt to have their smartphone connect to carrier. Different IP address.
To build such list one would have to know the IP addresses of carriers used by students and IP addresses used by students smartphones if they connected to carrier.
Attempting such things would be continuous and on-going ... maybe daily ... networking. Something automated, if one could find/create such a thing, had better work 100% of the time, or you could find yourself locked out of your own server IF the server is remotely hosted. There had better be a 2nd NIC on the server that's configured to use/respond to another iP address for your backdoor to server should the primary NIC get mis-configured.
Me thinks the only way one could use MAC address is where your entity issued tablets and laptops to students ... you could record those MAC addresses of those devices then and through contols of operating system/networking ... server or a switch that sits in front of the Moodle server ... allow only those MAC addresses access.
And why are doing this? The only content on a server that deserves that much protection is a finanical institution or something related to the national security of your nation, IMHO!!!
Best of luck!
'SoS', Ken