Site Tools


Block devices via script/Scheduler

The easiest way to filter WiFi devices is to use the Wireless Filter menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or off, as needed.

  • For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need ebtables.
  • For a routed environment (single router), you will use iptables.

Given a MAC address you want to control, such as: AA:BB:CC:DD:EE:FF you can filter in two ways:

ebtables (routed environment)

# Block
/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP

# Unblock
/usr/sbin/ebtables -D FORWARD -d AA:BB:CC:DD:EE:FF -j DROP

# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F

NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.


# Block Internet access (or any intra-vlan)
/sbin/iptables -I FORWARD -m mac –mac-source AA:BB:DD:EE:FF -j DROP

# Block any network activity, including services provided by the router (e.g. minidlna/webserver/mysql)
/sbin/iptables -I INPUT -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP

# Unblock (reverse) whatever command was issued by replacing “-I” with “-D” :
/sbin/iptables -D FORWARD -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP

# Flush
You don't do that for iptables :-) instead, reboot the device

These days, blocking MAC addresses can be tedious task. Many client devices use a MAC randomization function. MAC addresses can “change” freqeently.

For dealing with this, one alternative is to filter using hostnames.

For example:

# Block
iptables -I FORWARD -s iphone-julie -j DROP

# Unblock
iptables -D FORWARD -s iphone-julie -j DROP

Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts the device or just manually disconnects/reconnects WiFi.

If you were very security conscious, you could trigger a “service wireless restart” for each new client connecting, but that would be disruptive to the network in general.

For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For more details about this approach, see this HOWTO: Turning on/off radio elements from script.

device_filtering.txt · Last modified: 2023/05/24 21:38 by hogwild