How to switch on/off internet access for certain mac address

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Fri May 31, 2019 16:32    Post subject: How to switch on/off internet access for certain mac address Reply with quote
I have a TP-Link C7 with Firmware: DD-WRT v3.0-r39296 std (03/27/19).
I also have a son who needs to do his homework. I know there is a feature for allowing internet access on a schedule. But I would like to be able to switch his connection on and off through my home automation system (OpenHAB running on Debian 9). Is there a way to start a script through ssh or preferably through http-GET which would switch on- or off his internet connection through the router?
Sponsor
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 432

PostPosted: Fri May 31, 2019 21:03    Post subject: Reply with quote
Would something like this work:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319965
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2718
Location: UK, London, just across the river..

PostPosted: Fri May 31, 2019 23:00    Post subject: Reply with quote
you can block certain mac to not get an ip
via Dnsmasq additional rules or iptables rules to not get
access at all

_________________
Atheros
TP-Link WR740Nv1 ------ DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ------DD-WRT 40672 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Sat Jun 01, 2019 7:36    Post subject: Reply with quote
Wildlion wrote:
Would something like this work:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319965

That is a block of the physical port. It might be a bit overkill, I would rather like to block just one or a few IP's or mac addresses. So I think what Alozaros sugests is a good solution:

Alozaros wrote:
iptables rules to not get
access at all


So how should I do that? I tried something like this but it didn't work and I am very much afraid I will mess something up that I cannot undo:

Code:
iptables -A INPUT -m mac --mac-source 4C:DD:31:90:D4:D1 -j DROP


This command is accepted, but the mac is still communicating to the internet.
Should I reboot after changing iptables?
And is this the right way to get rid of this line:
Code:
iptables -D INPUT -m mac --mac-source 44:AA:33:BB:44:CC -j DROP

I found that 'iptables -t nat -L' doesn't list a line with the mac address I have put in?
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 432

PostPosted: Sat Jun 01, 2019 16:31    Post subject: Reply with quote
It shoudl be a forward rule as in:

Code:

iptables -I FORWARD 1 -i `nvram get lan_ifname` -m mac --mac-source 4C:DD:31:90:D4:D1 -j REJECT


it is forward, because the router is forwarding the connection to the internet, INPUT would be connections going into the router. The reason I put in REJECT instead of drop is so that the computer does not have to wait for a time out. The "1" after FORWARD ensures that it is the first rule trying to make sure that related/established connections are not allowed first.
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Sat Jun 01, 2019 19:24    Post subject: Reply with quote
Thank you Wildlion!
I want to try that. But first: what is the best way to revoke that? And does it need a reboot to work, or is this on the fly?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2718
Location: UK, London, just across the river..

PostPosted: Sun Jun 02, 2019 10:09    Post subject: Reply with quote
it does need to be inserted in firewall script, if you just use the CLI to add it, than on reboot, it wont be there ...
_________________
Atheros
TP-Link WR740Nv1 ------ DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ------DD-WRT 40672 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Sun Jun 02, 2019 12:31    Post subject: Reply with quote
Alozaros wrote:
it does need to be inserted in firewall script, if you just use the CLI to add it, than on reboot, it wont be there ...

I'm sorry but I really don'understand what that means.
I did the following:
ssh to the router, login and:
Code:
iptables -I FORWARD 1 -i `nvram get lan_ifname` -m mac --mac-so
urce 4C:DD:31:90:D4:D1 -j REJECT


then:
Code:
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  anywhere             anywhere            udp dpt:dns to:192.                                                                                                                                                             168.1.1
DNAT       tcp  --  anywhere             anywhere            tcp dpt:dns to:192.                                                                                                                                                             168.1.1
etc

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  192.168.1.0/24       anywhere            to: my.external.ip



I do not see the FORWARD ROUTE, the computer with the above mac-address (that's my mobile for testing) still has internet access, and after a reboot nothing happens. (But maybe that is just what Alozaros wanted to explain.
So how should I do this, and can this be done in an automated way from my domotica-computer?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2718
Location: UK, London, just across the river..

PostPosted: Sun Jun 02, 2019 13:58    Post subject: Reply with quote
well i did expect, you have a bit more basic knowledge..

for permanent use you need to add this rule in administration>commands>save firewall

in this way it will survive after reboot...
if you just add it via SSh, it will stay and work until the next reboot...only

to check you rules on FORWARD chain issue this command:
iptables -vnL FORWARD

wherever you add those rules you don't need to restart..

_________________
Atheros
TP-Link WR740Nv1 ------ DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ------DD-WRT 40672 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 432

PostPosted: Sun Jun 02, 2019 20:26    Post subject: Reply with quote
guido72 wrote:
Thank you Wildlion!
I want to try that. But first: what is the best way to revoke that? And does it need a reboot to work, or is this on the fly?


There are multiple ways to revoke, if you trust that the first rule is the one you want to delete:

Code:

iptables -D FORWARD 1


(or what ever index for that number) this will always delete a rule

otherwise you were right but with the new syntax:

Code:

iptables -D FORWARD -i `nvram get lan_ifname` -m mac --mac-source 4C:DD:31:90:D4:D1 -j REJECT


will delete only the rule that matches (if one is present)


Alozaros answered everything else, so hopefully you are good.
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Tue Jun 04, 2019 5:12    Post subject: Reply with quote
Sorry, door the inexperienced level.
Thank you both for your help. I am away from home for a few days so i will try your suggestions next weekend, and report back.
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Mon Jun 10, 2019 11:22    Post subject: Reply with quote
Finally I got some time to test the above. Unfortunately it doesn't seem to work.
When I issue 'iptables -vnL FORWARD', I get the table with lots lines.
When I type:
Code:
iptables -I FORWARD 1 -i `nvram get lan_ifname` -m mac --mac-source 4C:DD:31:90:D4:D1 -j REJECT

This is accepted, but 'iptables -vnL FORWARD' doesn't show any line with the mac address.
Also, the phone I am testing this with, is still connected to the internet through the router.
I tried 'su'and 'sudo' but this is not accepted.
Am I doing something wrong?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2718
Location: UK, London, just across the river..

PostPosted: Mon Jun 10, 2019 13:14    Post subject: Reply with quote
hmm if the rule does not exist and you saved it in firewall script than may be mac module is not present
for iptables on your router/build..

try to add this line in start up script
insmod ipt_mac


or you can try adding this to Additional DNSmasq
"11:22:33 ect. is = your mac address to block"

dhcp-host=11:22:33:44:55:66,ignore

do in mind that if he changes his amc address your rules will be obsolete...

_________________
Atheros
TP-Link WR740Nv1 ------ DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ------DD-WRT 40672 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Mon Jun 10, 2019 14:01    Post subject: Reply with quote
Alozaros wrote:
if you just add it via SSh, it will stay and work until the next reboot...only

I didn't put the line in startup script, because I want to add this line and remove it when applicable (now by hand over ssh, but when I got it working I intend to do this from my home automation server).

I don't know if the line 'insmod ipt_mac'really needs to go in the start-up script. I tried using it first through ssh, then issue the iptables command. But this doesn't do anything either.
I searched this forum for 'start up script' but couldn't find anything.

I did block the mac-address from the dd-wrt web interface (controll panel/access restriction). This works! Even then I don't see a change in the iptables forward chain when I issue 'iptables -vnL FORWARD'.

Is there a way to set an 'access policy' that I set up through GUI to 'active' and later to 'inactive' from ssh? That would solve my problem.
guido72
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 17

PostPosted: Mon Jun 10, 2019 15:14    Post subject: Reply with quote
Never mind the start up scripts, found it here: https://wiki.dd-wrt.com/wiki/index.php/Startup_Scripts.

If someone knows how to activate a policy from ssh, that would still be very useful.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum