Posted: Fri Apr 03, 2015 15:36 Post subject: Block IP if not associated with specific mac?
For my time of day access restrictions for my kids, I have a set of static leases associated with certain devices that will not be blocked at night. The rest are dynamically assigned. Then, during the specified hours, all ip address not associated with the static leases are blocked to the wan. I did it this way since it is trivial to spoof a mac address (my son already tried it and was punnished). So here's my question:
If someone were to set their computer's ip to one that is statically leased to another device and that device is off, I assume they would have normal internet access, right? Is there a way in iptables to block an ip that is not associated with a certain mac address?
You want to block an ip if not associated with a MAC address, because Mac spoofing is easy ? Not sure I understand your question. Solution might also be device/build dependant. Wiki on whitelisting or limiting dhcp leases to the exact number you need, or blacklisting might be useful information.
In any event, the simple solution to your problem is to turn off the router radio for an hour or two at bedtime. Then the kids can't get on wirelessly, and everyone else is forced to "have a real life" for an hour or so. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
You want to block an ip if not associated with a MAC address, because Mac spoofing is easy ? Not sure I understand your question. Solution might also be device/build dependant. Wiki on whitelisting or limiting dhcp leases to the exact number you need, or blacklisting might be useful information.
In any event, the simple solution to your problem is to turn off the router radio for an hour or two at bedtime. Then the kids can't get on wirelessly, and everyone else is forced to "have a real life" for an hour or so.
OK.
Scenario 1:
DDWRT Access restrictions configured to block certain mac addresses between 11:00pm and 6:00am. All ip's dynamic DHCP. Child changes mac address on pc, get's internet access after 11:00pm.
Changed my policy to Scenario 2:
List of "exempt devices" given static leases eg. 192.168.1.110-120. All other's dynamic. Access restriction now set to deny ip's from 192.168.1.2-109, 192.168.1.121-254. This "works".
What I'm asking is if child manually sets ip to say 192.168.1.110, can iptables be used do block if .110 is not the mac address in the static lease?
I know this is not "perfect", I'm just trying to make it a PIA to circumvent. Six kids of different ages needing internet access to do school work on Google docs, etc. doesn't allow me to just turn off the wifi radio.
You can check out the items that I listed in my previous post and see the wiki articles on them, but I don't think you can easily set up a requirement that a particular unknown (spoofed) MAC address must come in with a particular ip that is within your denied range. How would you know MAC to tie to an ip?
What I think would work, but be a pain to set up, is to set up ALL devices to static leases and then issue no dynamic leases. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
