FreshTomato Wiki

User Tools

Site Tools

Trace: restrict restrict-edit admin-access wireless_filter admin_access device_filtering

Sidebar

freshtomato.org

Wiki

▸ About

▸ Releases

▸ Hardware compatibility

▸ 3G/4G/5G compatibility

▸ Feature matrix

▸ Documentation

▸ HOWTOs

▸ FAQ

Forum

AX

Download

Changelog

Development

Bug track

ARM

Download

Changelog

Development

Bug track

MIPS

Download

Changelog

Development

Bug track


TomatoAnon

Style Guidelines

✔️ Help (WikiText Syntax)

🧑‍🤝‍🧑 Credits

💰 Donations

device_filtering

Table of Contents

Block devices via script/Scheduler

The easiest way to filter WiFi devices is to use the Wireless Filter menu. However, there are times you want to block specific devices via a script. This is especially true when you need to manage device blocking for many devices. Scripting also lets you schedule blocking/filtering on or off, as needed.


  • For a bridged environment (Media Bridge mode,
    Ethernet Bridge mode or switched LAN) you use ebtables.


  • For a routed environment (single router), you must use iptables.


Given a MAC address you wish to control, such as: “AA:BB:CC:DD:EE:FF” you can filter in two ways:

ebtables (routed environment)

# Block
/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP


# Unblock
/usr/sbin/ebtables -D FORWARD -d AA:BB:CC:DD:EE:FF -j DROP


# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F

NOTE: There might be additional ebtables in your system so be careful about flushing the full ebtable.

iptables

# Block Internet access (or any intra-vlan):
/sbin/iptables -I FORWARD -m mac –mac-source AA:BB:DD:EE:FF -j DROP


# Block any network activity, even services provided by the router (minidlna/webserver):
/sbin/iptables -I INPUT -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP


# Unblock (reverse) whatever command was issued by replacing “-I” with “-D”:
/sbin/iptables -D FORWARD -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP


# Flush
You don't do that for iptables. Reboot the device instead.



These days, many devices use MAC randomization which can make blocking MAC addresses tedious. MAC addresses can “change” frequently.

To help manage this, one option is to filter using hostnames.


For example:

# Block:
iptables -I FORWARD -s iphone-julie -j DROP


# Unblock:
iptables -D FORWARD -s iphone-julie -j DROP


Notes

The kernel still resolves the hostname to an IP address. A device with randomized MAC address will obtain a new IP address when reconnecting. This may function well, but only until the user restarts the device or manually disconnects WiFi.

If you're security conscious, you could trigger a “service wireless restart” for each new client connecting, but that would be disruptive to the general network.

For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For details about this approach, see the HOWTO: Turning on/off radio elements from script.


device_filtering.txt · Last modified: 2025/03/03 18:09 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki