FreshTomato Wiki

User Tools

Site Tools

Trace:
device_filtering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
device_filtering [2023/05/24 21:07] – [ebtables] -formatting hogwilddevice_filtering [2023/05/24 21:38] (current) – [Block devices via script/scheduler] - Capitalize Scheduler hogwild
Line 1: Line 1:
-====== Block devices via script/scheduler ======+====== Block devices via script/Scheduler ======
  
-The easiest way to filter of wireless devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. Scripting makes it easier to manage device blocking for large number of devices. It also allows you to schedule blocking/filtering on or off, as needed.+The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or off, as needed.
  
   * For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need //ebtables.//   * For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need //ebtables.//
Line 8: Line 8:
  \\  \\
  
-Given a MAC address you want to control, such as: ''aa:bb:cc:dd:ee:ff'' you can filter in two ways:+Given a MAC address you want to control, such as: ''AA:BB:CC:DD:EE:FF'' you can filter in two ways:
  
  
-===== ebtables =====+===== ebtables (routed environment) =====
  
-# Block\\  ''/usr/sbin/ebtables -A FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''+# Block\\  ''/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Unblock\\  ''/usr/sbin/ebtables -D FORWARD -d aa:bb:cc:dd:ee:ff -j DROP''+# Unblock\\  ''/usr/sbin/ebtables -D FORWARD -d AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
Line 23: Line 23:
 # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\ # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\
  
- NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.+ NOTE: you might have additional ebtables in your system so **be very careful** about flushing the full ebtable.
  
  
 ===== iptables ===== ===== iptables =====
-# Block Internet access (or any intra-vlan)\\ 
-''/sbin/iptables -I **FORWARD** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP'' 
  
-# Block any network acrtivity including services provided by the router itself e.g. minidlna/webserver/mysql)\\ +# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source AA:BB:DD:EE:FF -j DROP''
-''/sbin/iptables -I **INPUT** -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+
  
-# Unblock just rever whatever command replacinf -I with -D e.g.\\ + \\ 
-''/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP''+ 
 +# Block any network activity, including services provided by the router (e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock (reverse) whatever command was issued by replacing "-Iwith "-D" :\\  ''/sbin/iptables -D FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP'' 
 + 
 + \\ 
 + 
 +# Flush\\  ''You don't do that for iptables '':-)'' instead, reboot the device'' 
 + 
 + \\ 
 + 
 +These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqeently. 
 + 
 +For dealing with this, one alternative is to filter using hostnames. 
 + 
 + \\ 
 + 
 +For example:\\ 
 + 
 +# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP'' 
 + 
 + \\ 
 + 
 +# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP'' 
 + 
 + \\
  
-# Flush\\ +Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts the device or just manually disconnects/reconnects WiFi.
-''You don't do that for iptables :-) rather reboot the device''+
  
-Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\+If you were very security conscious, you could trigger a "service wireless restart" for each new client connecting, but that would be disruptive to the network in general.
  
-# Block\\ +For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For more details about this approach, see this HOWTO: [[toggle_radio|Turning on/off radio elements from script]].
-''iptables -I FORWARD -s iphone-julie -j DROP''+
  
-# Unblock\\ 
-''iptables -D FORWARD -s iphone-julie -j DROP'' 
  
-Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/reconnect WiFi manually. You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in [[toggle_radio|this article]]. 
device_filtering.1684958869.txt.gz · Last modified: 2023/05/24 21:07 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki