Hi,
I've been scratching my head at this one for the past few weeks. No idea why it's happening. Maybe someone smarter than me can work it out...
So here's the background... I've got a smart TV with the YouTube Kids app on it in the kid's play room. I want to restrict the times of day that the kids can watch.
I've have a Debian 9 VM, which I've enabled ipv4 forwarding on. DHCP sets the TV's default gateway to the IP of the VM. I've created a couple of scripts which insert iptables rules, one to reject/drop traffic from the TV's IP and the other to allow traffic again.
block-tv:
Code:
/sbin/iptables -I FORWARD -s 192.168.1.x -i ens3 -j DROP
/sbin/iptables -I INPUT -s 192.168.1.x -i ens3 -j DROP
/sbin/iptables -I FORWARD -s 192.168.1.x -i ens3 -j REJECT
/sbin/iptables -I INPUT -s 192.168.1.x -i ens3 -j REJECT
allow-tv:
Code:
/sbin/iptables -D FORWARD -s 192.168.1.242 -i ens3 -j DROP
/sbin/iptables -D INPUT -s 192.168.1.242 -i ens3 -j DROP
/sbin/iptables -D FORWARD -s 192.168.1.242 -i ens3 -j REJECT
/sbin/iptables -D INPUT -s 192.168.1.242 -i ens3 -j REJECT
Using cron, I have set allow-tv to run at 6am and block-tv to run at 10am. I've confirmed that these scripts are being executed in syslog and can see the rules when running iptables -L
When the block rules are in place, the output of that command looks like this:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT all -- PlayRoomTV.home anywhere reject-with icmp-port-unreachable
DROP all -- PlayRoomTV.home anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- PlayRoomTV.home anywhere reject-with icmp-port-unreachable
DROP all -- PlayRoomTV.home anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I've opened up a few videos, run the scripts manually, and can confirm that it blocks the videos, prevents browsing, etc... But this morning, even though the blocking rules were in place, the kids were still watching at at 12:30pm. The stuff they watch is usually 30-45mins long so I'm certain it's not cached. They've also been using the search function which can't be cached either.
Why would iptables not be dropping the data? Is it because the script is being run from cron? Is it because it's UDP traffic? Is it due to the connection already being established?
I'm just at a loss as to why this doesn't work. Ideas welcome.
Thanks.