This is an old revision of the document!
The easiest way to achieve filtering of wireless devices is to use the basic/wireless filter. There are cases though where you would need/prefer to block specific devices via a script, this can be for easier management (large number of devices) or to ba able to schedule the filtering on/off as needed.
For bridged environment (media-bridge/ethernet-bridge/FT-FT-via-ethernet) you will need ebtables where for router environment (single router) iptables is your friend.
Given a mac address you want to control say aa:bb:cc:dd:ee:ff
you can filter in two ways:
# Block
/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP
# Unblock
/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP
# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F
NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.
# Block Internet access (or any intra-vlan)
/sbin/iptables -I FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)
/sbin/iptables -I INPUT -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Unblock just rever whatever command replacinf -I with -D e.g.
/sbin/iptables -D FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Flush
You don't do that for iptables rather reboot the device
Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.
# Block
iptables -I FORWARD -s iphone-julie -j DROP
# Unblock
iptables -D FORWARD -s iphone-julie -j DROP
Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in this article.