Posted: Fri May 31, 2019 16:32 Post subject: How to switch on/off internet access for certain mac address
I have a TP-Link C7 with Firmware: DD-WRT v3.0-r39296 std (03/27/19).
I also have a son who needs to do his homework. I know there is a feature for allowing internet access on a schedule. But I would like to be able to switch his connection on and off through my home automation system (OpenHAB running on Debian 9). Is there a way to start a script through ssh or preferably through http-GET which would switch on- or off his internet connection through the router?
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri May 31, 2019 23:00 Post subject:
you can block certain mac to not get an ip
via Dnsmasq additional rules or iptables rules to not get
access at all _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
That is a block of the physical port. It might be a bit overkill, I would rather like to block just one or a few IP's or mac addresses. So I think what Alozaros sugests is a good solution:
Alozaros wrote:
iptables rules to not get
access at all
So how should I do that? I tried something like this but it didn't work and I am very much afraid I will mess something up that I cannot undo:
Code:
iptables -A INPUT -m mac --mac-source 4C:DD:31:90:D4:D1 -j DROP
This command is accepted, but the mac is still communicating to the internet.
Should I reboot after changing iptables?
And is this the right way to get rid of this line:
Code:
iptables -D INPUT -m mac --mac-source 44:AA:33:BB:44:CC -j DROP
I found that 'iptables -t nat -L' doesn't list a line with the mac address I have put in?
iptables -I FORWARD 1 -i `nvram get lan_ifname` -m mac --mac-source 4C:DD:31:90:D4:D1 -j REJECT
it is forward, because the router is forwarding the connection to the internet, INPUT would be connections going into the router. The reason I put in REJECT instead of drop is so that the computer does not have to wait for a time out. The "1" after FORWARD ensures that it is the first rule trying to make sure that related/established connections are not allowed first.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun Jun 02, 2019 10:09 Post subject:
it does need to be inserted in firewall script, if you just use the CLI to add it, than on reboot, it wont be there ... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I do not see the FORWARD ROUTE, the computer with the above mac-address (that's my mobile for testing) still has internet access, and after a reboot nothing happens. (But maybe that is just what Alozaros wanted to explain.
So how should I do this, and can this be done in an automated way from my domotica-computer?
Sorry, door the inexperienced level.
Thank you both for your help. I am away from home for a few days so i will try your suggestions next weekend, and report back.
Finally I got some time to test the above. Unfortunately it doesn't seem to work.
When I issue 'iptables -vnL FORWARD', I get the table with lots lines.
When I type:
Code:
iptables -I FORWARD 1 -i `nvram get lan_ifname` -m mac --mac-source 4C:DD:31:90:D4:D1 -j REJECT
This is accepted, but 'iptables -vnL FORWARD' doesn't show any line with the mac address.
Also, the phone I am testing this with, is still connected to the internet through the router.
I tried 'su'and 'sudo' but this is not accepted.
Am I doing something wrong?
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Jun 10, 2019 13:14 Post subject:
hmm if the rule does not exist and you saved it in firewall script than may be mac module is not present
for iptables on your router/build..
try to add this line in start up script
insmod ipt_mac
or you can try adding this to Additional DNSmasq
"11:22:33 ect. is = your mac address to block"
dhcp-host=11:22:33:44:55:66,ignore
do keep in mind that if he changes his amc address your rules will be obsolete... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
if you just add it via SSh, it will stay and work until the next reboot...only
I didn't put the line in startup script, because I want to add this line and remove it when applicable (now by hand over ssh, but when I got it working I intend to do this from my home automation server).
I don't know if the line 'insmod ipt_mac'really needs to go in the start-up script. I tried using it first through ssh, then issue the iptables command. But this doesn't do anything either.
I searched this forum for 'start up script' but couldn't find anything.
I did block the mac-address from the dd-wrt web interface (controll panel/access restriction). This works! Even then I don't see a change in the iptables forward chain when I issue 'iptables -vnL FORWARD'.
Is there a way to set an 'access policy' that I set up through GUI to 'active' and later to 'inactive' from ssh? That would solve my problem.