1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Manual MAC based access restriction using iptables script

Discussion in 'Tomato Firmware' started by onehomelist, Jun 9, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    I guess I am repeating my same question again. I somehow want to provide access to my 300 and more users with MAC based access restriction. I have heard that there is a limit to number of MAC addresses one can add in the 'access restriction' part of the tomato gui. So I have come up with my own solution for it. Here is what I did:

    Code:
    iptables -A rdev01 -m mac --mac-source 00:8c:c3:de:67:8a -j RETURN #User No:201005001 NAME:Michael
    iptables -A rdev01 -m mac --mac-source 00:1c:b0:df:12:44 -j RETURN #User No:201005002 NAME:Charlie
    iptables -A rdev01 -j DROP
    The script allows me to specify more details about my users like number and name. It'll provide internet access to only those users whose MAC id is specified in the script. I used it as firewall script and it worked. But when I entered a new user I had to restart the firewall over ssh. i used this command:
    Code:
    service firewall restart 
    My question is that is there a limit for the rules I can add in the firewall script section in the GUI?. I may have to add more than 500 rules in my case. I hope there are no limits.

    If anyone wants to try out the script you have to see that the line
    Code:
    iptables -A rdev01 -j DROP
    comes at the end. All MAC restriction rules should come above that line. This code will reject access to clients whose MAC id is not included in the script.
     
  2. mstombs

    mstombs Network Guru Member

    You should be careful with not over-filling the 32kB nvram, there was an issue at one time bricking with too many big vpn certs.

    If your router/firmware version supports it you could maintain your list on /jffs/ or usb drive and just link to it from the firewall script, or on /cifs/ if it can be reliably up...

    "nvram show" on the version I currently have does report nvram usage at the bottom

    Code:
    615 entries, 12759 bytes used, 20009 bytes free.
     
  3. onehomelist

    onehomelist Addicted to LI Member

    My nvram show stats
    Code:
    729 entries, 15931 bytes used, 16837 bytes free.
    Thanks mstombs. I'm using RT-N16. I'd go for /jffs to save my scripts. I hope a command like this would work

    Code:
    cd /jffs && ./my_firewall.sh
    Any better alternatives?
     
  4. mstombs

    mstombs Network Guru Member

    Should be fine, scripts need to have Unix file endings, but you can keep and edit the file on your PC not the router - you could also add extras via web gui. Scripts must be made executable with "chmod +x ...", I use winscp & notepad++.

    You can lose files on /jffs if router turned off suddenly, this is because the OS caches writes. Not a problem if shutdown correctly which flushes or syncs and write cache.
     
  5. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    I have been trying to do this exact same thing.. Did you ever get it to work??

    Asus RT-N16
    tomato-K26USB-1.28.9054MIPSR2-beta-Ext

    I typed up the following and saved it under /jffs as macaccess.sh and also did the chmod +x macaccess.sh


    #This scipt is for limiting wireless access to your router via MAC address.

    #example
    #iptables -A rdev01 -m mac --mac-source 00:00:00:00:00:00 -j RETURN #User Michael Moore

    iptables -A rdev01 -m mac --mac-source 61234B294858 -j RETURN #User Judy Badel Wireless
    iptables -A rdev01 -m mac --mac-source 011C09D876A0 -j RETURN #User Marc Berdaly Wireless
    iptables -A rdev01 -j DROP


    then in the GUI under 'administration' 'scripts' 'firewall'
    I have
    cd /jffs && ./macaccess.sh

    however even after a reboot or just a firewall restart... anything and everyone can still get on the router to either access the configuration gui or get on the web... I must be missing something.
     

Share This Page