FreshTomato Wiki

User Tools

Site Tools

Trace:
device_filtering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
device_filtering [2023/05/24 21:07] – [ebtables] -formatting hogwilddevice_filtering [2023/05/24 21:12] – [iptables] -formatting hogwild
Line 27: Line 27:
  
 ===== iptables ===== ===== iptables =====
-# Block Internet access (or any intra-vlan)\\ 
-''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP'' 
  
-# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\ +# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
-''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+
  
-# Unblock just rever whatever command replacinf -I with -D e.g.\\ + \\
-''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+
  
-Flush\\ +Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''
-''You don't do that for iptables :-) rather reboot the device''+
  
-Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\+ \\
  
-Block\\ +Unblock just rever whatever command replacinf -I with -D e.g.\\  ''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP'' 
-''iptables -I FORWARD -s iphone-julie -j DROP''+ 
 + \\ 
 + 
 +# Flush\\  ''You don't do that for iptables '':-)'' rather reboot the device'' 
 + 
 +These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqently. 
 + 
 +For dealing with this, one alternative is to filter using hostnames. 
 + 
 + \\ 
 + 
 +For example:\\ 
 + 
 +# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP'' 
 + 
 + \\ 
 + 
 +Still, the hostname is resolved into an IP address by the kernel. A device with randomized MAC address will obtain a new IP when reconnecting. This will probably function well until the user decides to restart the device or even disconnect/reconnect WiFi manually. 
 + 
 +You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]].
  
-# Unblock\\ 
-''iptables -D FORWARD -s iphone-julie -j DROP'' 
  
-Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]]. 
device_filtering.txt · Last modified: 2023/05/24 21:38 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki