Posted: Sun Jul 19, 2009 14:17 Post subject: Wired equivalent for Wireless MAC Filter?
I have both wired and wireless clients off of my 600N and I allow only the known MAC address to get on the wireless, using MAC Filter under Wireless tab. I would like to do the same for wired (LAN) clients. Is there a way to do this?
I did a search but I think the posts I found were for denying access for the known MAC addresses, whereas I need a method to allow access for the known MACs.
iptable -A FORWARD -i br0 -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks for the help.. I did this for my MACs that I want to allow, and saved it in Firewall thru the Administration/commands page; rebooted the router, but it doesn't seem to take affect. I am using Eko's 12476M on a WRT600n 1.1
They're essentially the same, the thing I forgot is you need to load the kernel module before the rules.
insmod ipt_mac _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
You might want to stop using full paths because nvram is only 32KB and runs out quick. If you're trying to stop LAN to LAN traffic then you need to break all your ports into separate vlans so that they don't get switched. If you want to block LAN to WLAN traffic then you need to also load ebtables. The rules should be blocking LAN to WAN traffic but run this to make sure that the rules exist.
iptables -vnL FORWARD _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Now I see the problem. Change the DROP rule to be -I instead of -A and put it at the top of the rules. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I would make a script which uses the mac-entries that were supposed to be used for the wireless-connections.
Would look a lot neater.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
lsmod | grep -q ipt_mac || insmod ipt_mac
iptables -I FORWARD -i br0 -j DROP
nvram get wl0_maclist 2>/dev/null | /opt/bin/egrep -o '([[:xdigit:]]{2}[:-]){5}[[:xdigit:]]{2}' | while read mac
do
iptables -I FORWARD -i br0 -m mac --mac-source ${mac} -j ACCEPT
done
Because "egrep -o" doesn't work properly in busybox you'll need to have optware installed.
I am in the process of registering with bugzilla and am going to post a ticket for it. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
The bug with "grep -o" has been fixed immediately in busybox after posting it.
When busybox will be updated in dd-wrt in a future version this code will run without the need to use /opt/bin/egrep _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Posted: Sun Jan 10, 2010 18:19 Post subject: Conflict with Access Restrictions
I just found out that, after putting in the iptables based firewall rules for allowing only known MAC address to access the internet, my "Access Restrictions" rules for the same MACs are no longer effective. If I have an entry in the rc_firewall for a MAC address I can no longer control the hours that MAC address is allowed to use the internet.
Insert them further down the chain, the 9 represents where in the chain to put it.
iptables -I FORWARD 9 -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)