This is an old revision of the document!
The easiest way to filter of wireless devices is to use the Wireless Filter menu. However, there are times when you want to block specific devices via a script. Scripting makes it easier to manage device blocking for large number of devices. It also allows you to schedule blocking/filtering on or off, as needed.
For bridged environment (media-bridge/ethernet-bridge/FT-FT-via-ethernet) you will need ebtables where for router environment (single router) iptables is your friend.
Given a mac address you want to control say aa:bb:cc:dd:ee:ff
you can filter in two ways:
# Block
/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP
# Unblock
/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP
# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F
NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.
# Block Internet access (or any intra-vlan)
/sbin/iptables -I FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)
/sbin/iptables -I INPUT -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Unblock just rever whatever command replacinf -I with -D e.g.
/sbin/iptables -D FORWARD -m mac –mac-source aa:bb:cc:dd:ee:ff -j DROP
# Flush
You don't do that for iptables rather reboot the device
Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.
# Block
iptables -I FORWARD -s iphone-julie -j DROP
# Unblock
iptables -D FORWARD -s iphone-julie -j DROP
Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in this article.