Posted: Sat May 03, 2014 16:55 Post subject: Access restrictions on multiple VLAN with iptables ?
Hello,
I've got a home wifi and a guest wifi on a asus RT-N16 running kong 22000+. I'm trying to block internet access on both VLANs for three specific MAC addresses for a specific range of time (between 10pm and 7am).
Using the web GUI, I set up access restrictions and they work, but only on the home wifi. If the computer connects to the guest wifi, its MAC address doesn't get stopped. That's the problem right here, as the web GUI only seems to work on the main home network.
I've tried doing it manually with:
iptables -t nat -I PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
and it works, but it blocks LAN access as well, not just the internet... (I can use a cron job later to turn than rule on and off -- I'm just trying to get the rule working)
If I change -j DROP to -j REJECT, it blocks nothing (doesn't even show in iptables -vnL). If I add -d 'nvram get wan_ipaddr') it doesn't work (it does show up in iptables -vnL, but with a different IP destination than my actual WAN address).
If I try:
iptables -I INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
it blocks nothing at all.
Hmmm... This is interesting. When I said it wasn't working, I was already connected to the wifi with the machine I'm trying to block and typing "test" in google to see if the page loaded.
I disconnected and tried to reconnect to the wifi, and it refused to hand out an IP address. It would seem that
iptables -t nat -I PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
blocks the DHCP server from handing out an IP address. I deleted that rule and it connected.
How do I stop internet traffic if the machine is already connected to the wifi?
I have also been trying to configure my RT-AC66U (with the latest Kong build) to set a schedule for when my kids are allowed access to the internet.
I am a complete novice ; so I am using the GUI Access Policy.
To me it also seems like already established connections will remain, and not be disconnected.
I just tried to add a scheduled reboot; assuming that this will force a disconnection and then not allow for the blocked MAC addresses to reconnect...
Not a very elegant solution... even so it might be a novice / poor mans workaround....
Disabled all GUI access restrictions. Then I made two scripts, one called "off" that puts in iptables rules that turns off internet access and the other called "on" that deletes those rules. Then I told CRON to run them at specific times.
off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.
I called these scripts with cron in the GUI (Administration -> cron additional jobs):
30 6 * * * root /opt/custom_config/scripts/on
30 21 * * 0-4 root /opt/custom_config/scripts/off
30 22 * * 5,6 root /opt/custom_config/scripts/off
Translated : turns on internet access at 6:30am everyday, and turns it off at 9:30pm (Sunday to Thursday) and at 10:30pm (Friday, Saturday).
Now, if only I could redirect people to a splash page instead of just dropping the packet... It would be a whole lot more elegant! I'm trying to use lighttpd and iptables rules (in the nat PREROUTING chain) to redirect traffic, but with mixed success.
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Mon May 05, 2014 8:41 Post subject:
raph321 wrote:
The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.
If you want to block someone by MAC why dont you do it on layer2 level with ebtables?
It is before layer3 and iptables...
off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
I'm apparantly having some very basic problems understanding scripting..I feel like a total helpless idiot; not being able to figure this out.. ...
I have created the proposed on script.. and in order to test it... I try to run the script by typing: sh on
I then just get the error message:
'ad argument '
However if I simply paste the command
iptables -D FORWARD -m mac --mac-source F0:F6:1C:AB:38:6A -j DROP
into the CLI it seems to be accepted...
It probably is something very simple and stupid that I am doing wrong... but I cannot for my bare life figure it out....
Disabled all GUI access restrictions. Then I made two scripts, one called "off" that puts in iptables rules that turns off internet access and the other called "on" that deletes those rules. Then I told CRON to run them at specific times.
off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.
I called these scripts with cron in the GUI (Administration -> cron additional jobs):
30 6 * * * root /opt/custom_config/scripts/on
30 21 * * 0-4 root /opt/custom_config/scripts/off
30 22 * * 5,6 root /opt/custom_config/scripts/off
Translated : turns on internet access at 6:30am everyday, and turns it off at 9:30pm (Sunday to Thursday) and at 10:30pm (Friday, Saturday).
Now, if only I could redirect people to a splash page instead of just dropping the packet... It would be a whole lot more elegant! I'm trying to use lighttpd and iptables rules (in the nat PREROUTING chain) to redirect traffic, but with mixed success.
Hopefully this helps someone!
Sure did help me... (after getting around my NUB problems..)
Thanks a lot