FreshTomato Wiki

User Tools

Site Tools

Trace: device_filtering

Sidebar

freshtomato.org

Wiki

▸ About

▸ Releases

▸ Hardware compatibility

▸ 3G/4G/5G compatibility

▸ Feature matrix

▸ Documentation

▸ HOWTOs

▸ FAQ

Forum

AX

Download

Changelog

Development

Bug track

ARM

Download

Changelog

Development

Bug track

MIPS

Download

Changelog

Development

Bug track


TomatoAnon

✔️ Help (WikiText Syntax)

🧑‍🤝‍🧑 Credits

💰 Donations

device_filtering

This is an old revision of the document!

Table of Contents

Block devices via script/scheduler

The easiest way to filter WiFi devices is to use the Wireless Filter menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or off, as needed.

  • For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need ebtables.
  • For a routed environment (single router), you will use iptables.


Given a MAC address you want to control, such as: AA:BB:CC:DD:EE:FF you can filter in two ways:

ebtables (routed environment)

# Block
/usr/sbin/ebtables -A FORWARD -d AA:BB:CC:DD:EE:FF -j DROP


# Unblock
/usr/sbin/ebtables -D FORWARD -d AA:BB:CC:DD:EE:FF -j DROP


# Flush (unblock all the defined references at once)
/usr/sbin/ebtables -F

NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable.

iptables

# Block Internet access (or any intra-vlan)
/sbin/iptables -I FORWARD -m mac –mac-source AA:BB:DD:EE:FF -j DROP


# Block any network activity, including services provided by the router (e.g. minidlna/webserver/mysql)
/sbin/iptables -I INPUT -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP


# Unblock just rever whatever command replacing -I with -D e.g.
/sbin/iptables -D FORWARD -m mac –mac-source AA:BB:CC:DD:EE:FF -j DROP


# Flush
You don't do that for iptables :-) instead, reboot the device


These days, blocking MAC addresses can be tedious task. Many client devices use a MAC randomization function. MAC addresses can “change” freqeently.

For dealing with this, one alternative is to filter using hostnames.


For example:

# Block
iptables -I FORWARD -s iphone-julie -j DROP


# Unblock
iptables -D FORWARD -s iphone-julie -j DROP


Still, the hostname is resolved into an IP address by the kernel. A device with randomized MAC address will obtain a new IP when reconnecting. This will probably function well until the user decides to restart the device or even disconnect/reconnect WiFi manually.

You could as a paranoia approach trigger a service wireless restart for each new client connecting but that is to cause disruption. For wireless devices possibly the best way to limit access is to make them connect to a dedicated SSID and enable/disable the SSID as needed as described in this article.

device_filtering.1684959773.txt.gz · Last modified: 2023/05/24 21:22 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki