Access restrictions on multiple VLAN with iptables ?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
raph321
DD-WRT Novice


Joined: 20 Jan 2014
Posts: 29

PostPosted: Sat May 03, 2014 16:55    Post subject: Access restrictions on multiple VLAN with iptables ? Reply with quote
Hello,

I've got a home wifi and a guest wifi on a asus RT-N16 running kong 22000+. I'm trying to block internet access on both VLANs for three specific MAC addresses for a specific range of time (between 10pm and 7am).

Using the web GUI, I set up access restrictions and they work, but only on the home wifi. If the computer connects to the guest wifi, its MAC address doesn't get stopped. That's the problem right here, as the web GUI only seems to work on the main home network.

I've tried doing it manually with:
iptables -t nat -I PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
and it works, but it blocks LAN access as well, not just the internet... (I can use a cron job later to turn than rule on and off -- I'm just trying to get the rule working)

If I change -j DROP to -j REJECT, it blocks nothing (doesn't even show in iptables -vnL). If I add -d 'nvram get wan_ipaddr') it doesn't work (it does show up in iptables -vnL, but with a different IP destination than my actual WAN address).

If I try:
iptables -I INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
it blocks nothing at all.

Any other ideas ?
Thanks!
Sponsor
raph321
DD-WRT Novice


Joined: 20 Jan 2014
Posts: 29

PostPosted: Sat May 03, 2014 17:08    Post subject: Reply with quote
Hmmm... This is interesting. When I said it wasn't working, I was already connected to the wifi with the machine I'm trying to block and typing "test" in google to see if the page loaded.

I disconnected and tried to reconnect to the wifi, and it refused to hand out an IP address. It would seem that
iptables -t nat -I PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
blocks the DHCP server from handing out an IP address. I deleted that rule and it connected.

How do I stop internet traffic if the machine is already connected to the wifi?
bjornbai
DD-WRT Novice


Joined: 08 Jan 2014
Posts: 14

PostPosted: Sun May 04, 2014 19:34    Post subject: Reply with quote
I have also been trying to configure my RT-AC66U (with the latest Kong build) to set a schedule for when my kids are allowed access to the internet.

I am a complete novice Embarassed; so I am using the GUI Access Policy.

To me it also seems like already established connections will remain, and not be disconnected.
I just tried to add a scheduled reboot; assuming that this will force a disconnection and then not allow for the blocked MAC addresses to reconnect...

Not a very elegant solution... even so it might be a novice / poor mans workaround....
raph321
DD-WRT Novice


Joined: 20 Jan 2014
Posts: 29

PostPosted: Sun May 04, 2014 20:05    Post subject: Reply with quote
Figured it out:

Disabled all GUI access restrictions. Then I made two scripts, one called "off" that puts in iptables rules that turns off internet access and the other called "on" that deletes those rules. Then I told CRON to run them at specific times.

off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.

I called these scripts with cron in the GUI (Administration -> cron additional jobs):
30 6 * * * root /opt/custom_config/scripts/on
30 21 * * 0-4 root /opt/custom_config/scripts/off
30 22 * * 5,6 root /opt/custom_config/scripts/off

Translated : turns on internet access at 6:30am everyday, and turns it off at 9:30pm (Sunday to Thursday) and at 10:30pm (Friday, Saturday).

Now, if only I could redirect people to a splash page instead of just dropping the packet... It would be a whole lot more elegant! I'm trying to use lighttpd and iptables rules (in the nat PREROUTING chain) to redirect traffic, but with mixed success.

Hopefully this helps someone!
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon May 05, 2014 8:41    Post subject: Reply with quote
raph321 wrote:
The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.

If you want to block someone by MAC why dont you do it on layer2 level with ebtables?
It is before layer3 and iptables...
bjornbai
DD-WRT Novice


Joined: 08 Jan 2014
Posts: 14

PostPosted: Fri May 16, 2014 17:43    Post subject: Reply with quote
raph321 wrote:


off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP


I'm apparantly having some very basic problems understanding scripting..I feel like a total helpless idiot; not being able to figure this out.. Embarassed ...Embarassed

I have created the proposed on script.. and in order to test it... I try to run the script by typing: sh on
I then just get the error message:
'ad argument '

However if I simply paste the command
iptables -D FORWARD -m mac --mac-source F0:F6:1C:AB:38:6A -j DROP
into the CLI it seems to be accepted...

It probably is something very simple and stupid that I am doing wrong... but I cannot for my bare life figure it out....
bjornbai
DD-WRT Novice


Joined: 08 Jan 2014
Posts: 14

PostPosted: Thu Jul 17, 2014 11:17    Post subject: Reply with quote
raph321 wrote:
Figured it out:

Disabled all GUI access restrictions. Then I made two scripts, one called "off" that puts in iptables rules that turns off internet access and the other called "on" that deletes those rules. Then I told CRON to run them at specific times.

off script: (one iptables rule per mac address)
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

on script: one iptables rule per mac address)
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

The FORWARD chain seems to be what I wanted: no internet access but I can still ping the local network. It also intercepts all traffic on any wifi network.

I called these scripts with cron in the GUI (Administration -> cron additional jobs):
30 6 * * * root /opt/custom_config/scripts/on
30 21 * * 0-4 root /opt/custom_config/scripts/off
30 22 * * 5,6 root /opt/custom_config/scripts/off

Translated : turns on internet access at 6:30am everyday, and turns it off at 9:30pm (Sunday to Thursday) and at 10:30pm (Friday, Saturday).

Now, if only I could redirect people to a splash page instead of just dropping the packet... It would be a whole lot more elegant! I'm trying to use lighttpd and iptables rules (in the nat PREROUTING chain) to redirect traffic, but with mixed success.

Hopefully this helps someone!


Sure did help me... (after getting around my NUB problems..)
Thanks a lot
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 12:50    Post subject: Reply with quote
I can get the script working apart from the Cron here are my steps:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=277911

Any advice on how to execute the script from cron?
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 14:01    Post subject: Reply with quote
Issue fixed, have updated my guide here: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=277911
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum