The first line "iptables -I FORWARD -i vlan2 -j REJECT" definitely turns the internet off for everyone.
What I didn't expect is adding even one of the "ACCEPT" lines turns the internet back on for EVERYBODY. Not just the one MAC.
I have tried this from the firewall script, and then lots of variations on command line.
Got to admit, IPTables isn't something I have ever played with, I think I am missing something simple here... help? _________________ DD-WRT v3.0-r40270M kongac Netgear R7000
Published and substantiated over a decade ago, yet today in 2019 still misconceptions...
Using, protecting and trusting one's WPA2/WPA3 key(s) would easily secure and block one's network from most unauthorized accesses beside state-sponsored and well-organized intrusions.
I already used the Access restrictions, every legit IP is static , all the rest blocked. That doesn't do anything for somebody manually setting an IP (even though it's static assigned to a different MAC) from getting full access to LAN/WAN. That is what I have going on, trial and error IP until one works.
My problem is people plugging into LAN jacks, more than wifi right now.
I am aware it's not perfect, but I don't know any better way to lock it down, than choose the 1/2 dozen legal MACS and IPs both to grant access and reject the rest.
Alozaros, thank you, I will try that.
Doess numbering the rules work differently than insert?
Or is the syntax wrong? _________________ DD-WRT v3.0-r40270M kongac Netgear R7000
Authentication server would be nice, too complicated, thanks though:)
Learning as I go, I can answer my own last question now, the drop at the top matches all, so no internet. The drop can't be rule 1.
Still reading, I can't figure out a way to say
Default DROP unless "Match one of these"
Just inserting that drop anywhere else seems like it would conflict with existing port forwarding and stuff that I do use.
I wonder if I can put these on OUTPUT chain instead? There is no other rules to screw it up there. _________________ DD-WRT v3.0-r40270M kongac Netgear R7000
Still reading, I can't figure out a way to say
Default DROP unless "Match one of these"
Just inserting that drop anywhere else seems like it would conflict with existing port forwarding and stuff that I do use.
The order should be from most to least specific. You generally either need to:
1. DROP x, y, and z, then ACCEPT all others
or:
2. ACCEPT a, b, and c, then DROP all others
#1 is more family (and hacker) friendly, while #2 is more secure but things break much more easily. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
#MAC Filter
insmod ipt_mac
iptables -N CMACFILTER
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -m limit --limit 2/min -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER
This goes by default deny and only allow the certain macs to access. Now this does not prevent the MACs from accessing other resources on the network (or if they set a static ip address)
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Tue Oct 08, 2019 11:57 Post subject:
Do not use the GUI to set anything on the command line (you can but special characters have to be escaped)
You should telnet/Putty to your router do do these kind of things. If it works you can Save the commands as Firewall
You can try the following:
iptables -I FORWARD -o $(nvram get wan_ifname) -m mac --mac-source 94:6A:B0:11:47:22 -m state --state NEW -j REJECT
You should only need this rule.
As you want to block outgoing traffic from your WAN you should use the -o , you can not block incoming traffic from the WAN with a MAC address.
I use state new so that any port forwards to this address can still work, if you do not need this then you can skip using state new.
As you are only blocking outgoing traffic to the WAN/internet you can still see things on your network and router
#MAC Filter
insmod ipt_mac
iptables -N CMACFILTER
#drop link local without logging
iptables -A CMACFILTER -s 169.254.0.0/16 -j DROP
iptables -A CMACFILTER -m mac --mac-source (allowed mac) -j RETURN
iptables -A CMACFILTER -m limit --limit 2/min -j LOG --log-prefix " MAC DROP: "
iptables -A CMACFILTER -j DROP
iptables -I FORWARD 1 -i `nvram get lan_ifname` -j CMACFILTER
iptables -I INPUT 1 -i `nvram get lan_ifname` -j CMACFILTER
This goes by default deny and only allow the certain macs to access. Now this does not prevent the MACs from accessing other resources on the network (or if they set a static ip address)
..
You can try the following:
iptables -I FORWARD -o $(nvram get wan_ifname) -m mac --mac-source 94:6A:B0:11:47:22 -m state --state NEW -j REJECT
...
I have not tested it so curious to see if it works
awesome, thank you _________________ DD-WRT v3.0-r40270M kongac Netgear R7000