FreshTomato Wiki

User Tools

Site Tools

Trace:
device_filtering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
device_filtering [2022/11/28 14:35] rs232device_filtering [2023/05/24 21:30] – [iptables] -condense, formatting hogwild
Line 1: Line 1:
 ====== Block devices via script/scheduler ====== ====== Block devices via script/scheduler ======
  
-The easiest way to achieve filtering of wireless devices is to use the basic/[[basic-wfilter|wireless filter]]. There are cases though where you would need/prefer to block specific devices via a script, this can be for easier management (large number of devices) or to ba able to schedule the filtering on/off as needed.+The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menuHowever, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or offas needed.
  
-For bridged environment (media-bridge/ethernet-bridge/FT-FT-via-ethernet) you will need **ebtables** where for router environment (single router) **iptables** is your friend.+  * For bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need //ebtables.// 
 +  For a routed environment (single router), you will use //iptables//.
  
-Given a mac address you want to control say ''aa:bb:cc:dd:ee:ff'' you can filter in two ways:+ \\
  
-===== ebtables =====+Given a MAC address you want to control, such as: ''AA:BB:CC:DD:EE:FF'' you can filter in two ways:
  
-# Block\\ 
-''/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP'' 
  
-Unblock\\ +===== ebtables (routed environment) ===== 
-''/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''+ 
 +Block\\  ''/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock\\  ''/usr/sbin/ebtables -D FORWARD -d AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\ 
 + 
 + NOTE: you might have additional ebtables in your system so **be very careful** about flushing the full ebtable.
  
-# Flush (unblock all the defined references at once)\\ 
-''/usr/sbin/ebtables -F''\\ 
-NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable. 
  
 ===== iptables ===== ===== iptables =====
-# Block Internet access (or any intra-vlan)\\ 
-''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP'' 
  
-# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\ +# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source AA:BB:DD:EE:FF -j DROP'' 
-''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+ 
 + \\ 
 + 
 +# Block any network activity, including services provided by the router (e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock (reverse) whatever command was issued by replacing "-I" with "-D" :\\  ''/sbin/iptables -D FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Flush\\  ''You don't do that for iptables '':-)'' instead, reboot the device'' 
 + 
 + \\ 
 + 
 +These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqeently. 
 + 
 +For dealing with this, one alternative is to filter using hostnames. 
 + 
 + \\ 
 + 
 +For example:\\ 
 + 
 +# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP''
  
-# Unblock just rever whatever command replacinf -I with -D e.g.\\ + \\
-''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+
  
-# Flush\\ +Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts the device or just manually disconnects/reconnects WiFi.
-''You don't do that for iptables :-) rather reboot the device''+
  
-Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\+If you were very security conscious, you could trigger a "service wireless restart" for each new client connecting, but that would be disruptive to the network in general.
  
-# Block\\ +For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For more details about this approach, see this HOWTO: [[toggle_radio|Turning on/off radio elements from script]].
-''iptables -I FORWARD -s iphone-julie -j DROP''+
  
-# Unblock\\ 
-''iptables -D FORWARD -s iphone-julie -j DROP'' 
  
-Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]]. 
device_filtering.txt · Last modified: 2023/05/24 21:38 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki