FreshTomato Wiki

User Tools

Site Tools

Trace:
device_filtering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
device_filtering [2023/05/24 21:17] – [ebtables] -changed MAC address to caps for easier reading hogwilddevice_filtering [2025/03/03 18:09] (current) – [Notes] -condense hogwild
Line 1: Line 1:
-====== Block devices via script/scheduler ======+====== Block devices via script/Scheduler ======
  
-The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or off, as needed.+The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times you want to block specific devices via a script. This is especially true when you need to manage device blocking for many devices. Scripting also lets you schedule blocking/filtering on or off, as needed.
  
-  * For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need //ebtables.// + \\ 
-  * For a routed environment (single router), you will use //iptables//.+ 
 +  * For a bridged environment (Media Bridge mode, \\ Ethernet Bridge mode or switched LAN) you use //ebtables.//
  
  \\  \\
  
-Given MAC address you want to controlsuch as: ''AA:BB:CC:DD:EE:FF'' you can filter in two ways:+  * For routed environment (single router), you must use //iptables//.
  
 + \\
  
-===== ebtables =====+Given a MAC address you wish to control, such as: "AA:BB:CC:DD:EE:FF" you can filter in two ways: 
 + 
 + 
 +===== ebtables (routed environment) =====
  
 # Block\\  ''/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP'' # Block\\  ''/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP''
Line 23: Line 28:
 # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\ # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\
  
- NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.+NOTE: There might be additional ebtables in your system so **be careful** about flushing the full ebtable.
  
  
 ===== iptables ===== ===== iptables =====
  
-# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+# Block Internet access (or any intra-vlan):\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source AA:BB:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+# Block any network activity, even services provided by the router (minidlna/webserver):\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Unblock just rever whatever command replacinf -I with -D e.g.\\  ''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+# Unblock (reverse) whatever command was issued by replacing "-Iwith "-D":\\  ''/sbin/iptables -D FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Flush\\  ''You don't do that for iptables '':-)'' rather reboot the device''+# Flush\\  You don't do that for iptables. Reboot the device instead.
  
-These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqently.+ \\ 
 + 
 + \\ 
 + 
 +These days, many devices use MAC randomization which can make blocking MAC addresses tedious. MAC addresses can "change" frequently.
  
-For dealing with this, one alternative is to filter using hostnames.+To help manage this, one option is to filter using hostnames.
  
  \\  \\
Line 50: Line 59:
 For example:\\ For example:\\
  
-# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP''+# Block:\\  ''iptables -I FORWARD -s iphone-julie -j DROP''
  
  \\  \\
  
-# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP''+# Unblock:\\  ''iptables -D FORWARD -s iphone-julie -j DROP''
  
  \\  \\
  
-Still, the hostname is resolved into an IP address by the kernel. A device with randomized MAC address will obtain a new IP when reconnecting. This will probably function well until the user decides to restart the device or even disconnect/reconnect WiFi manually. 
  
-You could as paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]].+===== Notes ===== 
 + 
 +The kernel still resolves the hostname to an IP address. A device with randomized MAC address will obtain new IP address when reconnecting. This may function well, but only until the user restarts the device or manually disconnects WiFi. 
 + 
 +If you're security conscious, you could trigger a "service wireless restartfor each new client connectingbut that would be disruptive to the general network. 
 + 
 +For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSIDand enable/disable that SSID as needed. For details about this approach, see the HOWTO: [[toggle_radio|Turning on/off radio elements from script]]. 
 + 
 + \\
  
  
device_filtering.1684959422.txt.gz · Last modified: 2023/05/24 21:17 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki