Posted: Wed Dec 31, 2014 21:02 Post subject: Access restrictions not working as expected
I have setup an access restriction rule to deny my daughter's access to the Internet based on time of day and the MAC address of her computer. This works fine if she tries to browse the Web or do anything new after the rule has started. What is perplexing is that if she connects to a minecraft server or pesterchum service before the time the deny rule goes into effect, she can stay connected indefinitely as long as she doesn't disconnect. I am not sure why this happens and was hoping someone here could help me figure this out. I am using the latest Kong buold.
The problem is due to the way dd-wrt has implemented Access Restrictions. It just happens that the firewall is configured to allow existing connections to bypass these restrictions. To be precise (if it matters to you), when a packet comes through the FORWARD chain of the firewall, the very first rule says to allow all ESTABLISHED connections through. Further down that same chain it finally encounters the rules for Access Restrictions (lan2wan), which of course it too late. That will only happen if the state of the connection is NEW.
I dumped the firewall just so you can see for yourself.
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
This is what I personally don't like about Access Restrictions. How it works is hidden. And it's based on certain assumptions with which you might not agree. It typically won't work w/ anything but the WAN (e.g., setup a VPN and Access Restrictions has no effect either!). That's why sometimes you just have to implement these restrictions yourself. Or perhap "fix-up" the existing rules after the fact (not something I generally recommend). Or perhaps in your case kill all her existing connections at the given hour so you force a NEW connection to be made (not sure that’s possible w/ dd-wrt).
So how do I changes the iptables so that access restrictions comes first for ESTABLISHED connections? I have no problems bypassing the gui and editing the iptables conf file. I just don't want to have to go and learn iptables nomenclature. I have been avoiding it for years actually.
The quick and dirty answer would be to place the lan2wan rule before the ESTABLISHED rule. At least looking at my dump of iptables, that would appear to be harmless. But it would be prudent to see YOUR dump of iptables to be sure. You just never know if there might be a difference and we could break something.
iptables -vnL FORWARD
If could literally be as simple as adding the following rules to the firewall script:
Joined: 03 Jan 2010 Posts: 7311 Location: YWG, Canada
Posted: Thu Jan 01, 2015 5:38 Post subject:
i think the results of this thread should be posted into a ticket. access restrictions shouldnt work that way, at a worst case scenario, it should become active when the connection tries to renew after maximum alive time is reached _________________ LATEST FIRMWARE(S)
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 10 Nov 2009 Posts: 15 Location: Rovaniemi, Finland
Posted: Fri Jan 09, 2015 7:42 Post subject:
Encountered same problem, for example WoT (son plays it, surprise...) stays connected if connection is established before restrictions are enabled.
Fixed (or at least all restricted range ip's dropped all established connections) and always permitted clients are still able to connect with points given above, thanks. Running WHR-600D with 23392 (Buffalo DD-WRT)).