This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
device_filtering [2023/05/24 21:07] – [ebtables] -formatting hogwild | device_filtering [2023/05/24 21:12] – [iptables] -formatting hogwild | ||
---|---|---|---|
Line 27: | Line 27: | ||
===== iptables ===== | ===== iptables ===== | ||
- | # Block Internet access (or any intra-vlan)\\ | ||
- | ''/ | ||
- | # Block any network acrtivity including services provided by the router itself e.g. minidlna/ | + | # Block Internet access (or any intra-vlan)\\ ''/ |
- | ''/ | + | |
- | # Unblock just rever whatever command replacinf -I with -D e.g.\\ | + | \\ |
- | ''/ | + | |
- | # Flush\\ | + | # Block any network acrtivity including services provided by the router itself e.g. minidlna/ |
- | '' | + | |
- | Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\ | + | \\ |
- | # Block\\ | + | # Unblock just rever whatever command replacinf -I with -D e.g.\\ ''/ |
- | '' | + | |
+ | \\ | ||
+ | |||
+ | # Flush\\ | ||
+ | |||
+ | These days, blocking MAC addresses can be tedious task. Many client devices use a MAC randomization function. MAC addresses can " | ||
+ | |||
+ | For dealing with this, one alternative is to filter using hostnames. | ||
+ | |||
+ | \\ | ||
+ | |||
+ | For example: | ||
+ | |||
+ | # Block\\ | ||
+ | |||
+ | \\ | ||
+ | |||
+ | # Unblock\\ | ||
+ | |||
+ | \\ | ||
+ | |||
+ | Still, the hostname is resolved into an IP address by the kernel. A device with randomized MAC address will obtain a new IP when reconnecting. This will probably function well until the user decides to restart the device or even disconnect/ | ||
+ | |||
+ | You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/ | ||
- | # Unblock\\ | ||
- | '' | ||
- | Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/ |