1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Manual MAC based access restriction using iptables script

Discussion in 'Tomato Firmware' started by mnbowhunter77, Feb 26, 2011.

  1. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    I have been trying to do the Title for a little while now and just can't seem to get it working.

    Asus RT-N16
    tomato-K26USB-1.28.9054MIPSR2-beta-Ext

    I wrote a text file named 'macaccess.sh', enabled JFFS and formated via the GUI.. and saved the text file under '/jffs' and did a chmod +x on it, here are the first few lines and also the last line. There are over 150 lines total

    #This scipt is for limiting wireless access to your router via MAC address.
    #
    #example
    #iptables -A rdev01 -m mac —mac-source 00:00:00:00:00:00 -j RETURN #User Michael Moore
    #
    iptables -A rdev01 -m mac —mac-source 63:33:4B:B9:9D:68 -j RETURN #User Jody Bedlly Wireless
    iptables -A rdev01 -m mac —mac-source 03:1D:29:C8:59:G0 -j RETURN #User Bob Berdahl Wireless
    iptables -A rdev01 -j DROP


    I entered the following under 'administration' 'scripts' 'firewall'
    cd /jffs && ./macaccess.sh

    I also did : service firewall restart at the command prompt via ssh

    however, when i run 'iptables -L' I get this:

    root@$$$:/jffs# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    DROP all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    wanin all -- anywhere anywhere
    wanout all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain wanin (1 references)
    target prot opt source destination

    Chain wanout (1 references)
    target prot opt source destination

    I do not see my MAC's listed anywhere... so can only assume they are not being passed to the firewall.

    Is there a way to see if when running the 'service firewall restart' command it actually read the 'cd /jffs && ./macaccess.sh' script that is saved in the GUI?

    I have also enabled an Access Restriction that should kill the internet for a specific MAC address not listed in the text file.. However, that device is still able to connect to the router and admin it??


    I have to be missing something.. .Help
     
  2. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    should there be an xt_mac or ipt_mac module loaded when I do an lsmod?

    not only isn't there.. but one doesn't seem to exist in the modules folder at all..
     
  3. princeamd

    princeamd Networkin' Nut Member

    what the hell is rdev01, i think it should be br0
     
  4. TT76

    TT76 Networkin' Nut Member

    where is your customized chain rdev01?
     
  5. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    rdev01 is apparently opened when you use access restrictions in the GUI.. although I have access restrictions set up.. and I don't think it is running. Is there a test to see if it is??
     
  6. TT76

    TT76 Networkin' Nut Member

    I am pretty much sure that that customized chain created by access restriction is not that name,they are restrict and rresX(X=01-99), but I don't know why access restriction didn't work after you enabled it.
     
  7. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    do you know if I should be using the 'access restriction' area.. or the 'basic' 'wireless filter' then selecting 'permit only the following' and using a MAC... if I do the latter.. it will only allow the single MAC id listed and no more.. it does NOT read the script. and I am confused as to how the access restriction area needs to be set up so that it will read the script.
     
  8. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

    update. It seems the rdev01 chain is only created once you connect your modem to the WAN port. Once I did that.. all is well.

    Now in the script

    iptables -A rdev01 -m mac --mac-source 01:01:01:01:01:01 -j RETURN #User Bob

    How do I see who is on the router. As It appears that this script only stops the users not listed from accessing the internet. It doesn't actually keep them from connecting to the router and being assigned an IP. This is ofcourse when used in conjunction with the "Access Restriction" to 'Block all Internet Access' in the GUI. If I go to the Device List, it still shows all devices connected. Whether they have internet access or not.. and it shows what ever name they have assigned to their machine. I was hoping to see the names I have given them after the RETURN #User area..

    Onehomelist or anyone else have any ideas on that.
     
  9. mnbowhunter77

    mnbowhunter77 Networkin' Nut Member

Share This Page