Differences

This shows you the differences between two versions of the page.

--- device_filtering [2023/05/24 21:07] – [Block devices via script/scheduler] hogwild
+++ device_filtering [2023/05/24 21:12] – [iptables] -formatting hogwild
@@ Line 13: / Line 13: @@
 ===== ebtables =====
-# Block\\
+# Block\\  ''/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''
-''/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''
-# Unblock\\
+ \\
-''/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''
+# Unblock\\  ''/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''
+ \\
+# Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\
+ NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.
-# Flush (unblock all the defined references at once)\\
-''/usr/sbin/ebtables -F''\\
-NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.
 ===== iptables =====
-# Block Internet access (or any intra-vlan)\\
-''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
-# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\
+# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
-''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
+ \\
+# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
+ \\
+# Unblock just rever whatever command replacinf -I with -D e.g.\\  ''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
+ \\
+# Flush\\  ''You don't do that for iptables '':-)'' rather reboot the device''
+These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqently.
+For dealing with this, one alternative is to filter using hostnames.
+ \\
+For example:\\
+# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP''
+ \\
-# Unblock just rever whatever command replacinf -I with -D e.g.\\
+# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP''
-''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
-# Flush\\
+ \\
-''You don't do that for iptables :-) rather reboot the device''
-Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\
+Still, the hostname is resolved into an IP address by the kernel. A device with randomized MAC address will obtain a new IP when reconnecting. This will probably function well until the user decides to restart the device or even disconnect/reconnect WiFi manually.
-# Block\\
+You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]].
-''iptables -I FORWARD -s iphone-julie -j DROP''
-# Unblock\\
-''iptables -D FORWARD -s iphone-julie -j DROP''
-Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]].

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools