Site Tools


device_filtering

Block devices via script/scheduler

The easiest way to achieve filtering of wireless devices is to use the basic/wireless filter. There are cases though where you would need/prefer to block specific devices via a script, this can be for easier management (large number of devices) or to ba able to schedule the filtering on/off as needed.

For bridged environment (media-bridge/ethernet-bridge/FT-FT-via-ethernet) you will need ebtables where for router environment (single router) iptables is your friend.

Given a mac address you want to control say aa:bb:cc:dd:ee:ff you can filter in two ways:

ebtables

# Block
/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP

# Unblock
/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP

# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F
NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.

iptables

# Block Internet access (or any intra-vlan)
/sbin/iptables -I FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP

# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)
/sbin/iptables -I INPUT -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP

# Unblock just rever whatever command replacinf -I with -D e.g.
/sbin/iptables -D FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP

# Flush
You don't do that for iptables :-) rather reboot the device

Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.

# Block
iptables -I FORWARD -s iphone-julie -j DROP

# Unblock
iptables -D FORWARD -s iphone-julie -j DROP

Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in this article.

device_filtering.txt · Last modified: 2022/11/28 14:36 by rs232