Here is my iptables lan->wan MAC filter

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload
Author Message
ZeWaren
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 1
Location: Plouzane, Bretagne, France

PostPosted: Wed Oct 29, 2008 18:54    Post subject: Here is my iptables lan->wan MAC filter Reply with quote
Hello everyone.
I am quite surprised that dd-wrt v24 doesn't have anything to prevent users from using the internet by mac, ie a simple lan->wan mac filter.

Here is how I did it, using simple iptables rules.
Code:

insmod xt_mac
insmod ipt_mac
iptables -I FORWARD -o vlan2 -j DROP

iptables -I FORWARD -o vlan2 -m mac --mac-source 00:00:00:00:00:01 -j ACCEPT
iptables -I FORWARD -o vlan2 -m mac --mac-source 00:00:00:00:00:02 -j ACCEPT

This will only allow 00:00:00:00:00:01 and 00:00:00:00:00:02 to access the wan interface, by wire or by wifi.

This is the only solution I found to achieve what I needed (my router is on a residential 200+ computer network).

Do you have any comments about it? Do you plan on setting this kind of mac filter in the web-binterface? Did I do something wrong?

BTW, I'm using a Dlink DIR-300.

Erwan Martin.
French student.
Sponsor
zatara
DD-WRT Novice


Joined: 26 Jun 2008
Posts: 17

PostPosted: Tue Dec 09, 2008 5:03    Post subject: Mac Filter Reply with quote
Are there any additional iptables that are needed for this to work? I am trying to accomplish the exact same thing as you, but when I entered:

iptables -I FORWARD -o vlan2 -j DROP

my "unauthorized" laptop was still able to get on the internet. I have the default firewall rules with NAT turned on. Am I missing something or is that command supposed to stop all unauthorized traffic immediately?

Thanks,

Zatz
zatara
DD-WRT Novice


Joined: 26 Jun 2008
Posts: 17

PostPosted: Tue Dec 09, 2008 6:07    Post subject: Figured it out Reply with quote
I am retarded... Please forgive my previous questions, turns out my wan port is on vlan1 not vlan2. It works beautifully, you are a genius my good man.

Thanks,

Zatara
addy_ro
DD-WRT Novice


Joined: 20 Feb 2009
Posts: 4

PostPosted: Fri Feb 20, 2009 7:55    Post subject: Reply with quote
this code will block access to the internet to everyone except the ones with mac from the code ?

if so it's exactly what i am looking for.

But where do i run this code ?

Please help, I'm new to this iptables stuff!
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Sat Feb 21, 2009 20:12    Post subject: Reply with quote
Access restrictions tab?
_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sat Feb 21, 2009 20:52    Post subject: Reply with quote
ZeWaren wrote:
I am quite surprised that dd-wrt v24 doesn't have anything to prevent users from using the internet by mac, ie a simple lan->wan mac filter.


addy_ro wrote:
But where do i run this code ?


olmari wrote:
Access restrictions tab?


:lol:
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Sat Feb 21, 2009 20:57    Post subject: Reply with quote
Well I wasn't referring to where run the code, but that DD-WRT GUI to have similar functionality...
_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sat Feb 21, 2009 21:04    Post subject: Reply with quote
I know. That's what makes it funny. Wink
addy_ro
DD-WRT Novice


Joined: 20 Feb 2009
Posts: 4

PostPosted: Sun Feb 22, 2009 8:48    Post subject: Reply with quote
So nobody can tell me if i can do this and how ?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sun Feb 22, 2009 19:37    Post subject: Reply with quote
I'm surprised you did not find it after two days..

Admin -> Commands

Why are you running this code anyway when olmari says dd-wrt already has similar function built in.
addy_ro
DD-WRT Novice


Joined: 20 Feb 2009
Posts: 4

PostPosted: Tue Feb 24, 2009 12:53    Post subject: Reply with quote
I tried that way, nothing happend
zatara
DD-WRT Novice


Joined: 26 Jun 2008
Posts: 17

PostPosted: Sat Mar 07, 2009 23:30    Post subject: Reply with quote
Click on the admin tab and then click commands, and then save it as "Firewall" Please make sure you know what your outgoing interface is.

PS - This script breaks Hotmail.com, turbotax.com itunes.com and others for some reason. I am looking into it. What I have found so far is that these servers have a server side redirection that gets munged up and never makes it to the client.


Zatz
forheman
DD-WRT Novice


Joined: 30 Jan 2016
Posts: 1

PostPosted: Sat Jan 30, 2016 13:00    Post subject: Reply with quote
DD-WRT v3.0-r28586 std (12/23/15)
TPLINK TL-WDR4300

Works correctly.
Does not break anything Smile

Thank you ZeWaren. I have been trying to find this solution since two weeks !
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum