Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server running debian acting as a firewall/forward/masquerade box. In order to, ah, encourage, my kids to get their homework done before frittering their time away on social media, I long ago introduced a restriction system on when their devices get network access. I use the cron daemon to schedule a script to insert and remove forwarding rules in iptables based on known mac addresses; so during certain times of day, devices on the 'trouble' list can connect to the local network but not access the gateway.
This all works great, except for a substantial loophole. Access is granted to one device each so homework requiring internet access can be done, usually one laptop per user. I know, they can access social media through their laptops, but they do prefer their phones for this. Their phones don't have data plans. You can probably guess where this is going. My clever progeny have discovered they can make their laptops into hotspots, tether their phones, and use the laptops' access to allow social media on their phones; thus we are back to frittering, failing courses, not graduating, etc.
At last, the question: Is there some way I can prevent devices tethered to hotspotted laptops from gaining access to the internet?
I assume that the hotspots perform NAT, thus routing.
One way I thought of would be to decrement the TTL of packets destined for the laptops to 1. The laptops would then receive all packets, yet wouldn't allow another routing.
Or, you could drop all outgoing packets with a TTL different from an expected value (Assuming the NAT doesn't rewrite that value).Inspiration.
Inspiration 2.
Another way to approach the problem is iptables filter everything outbound except for your DNS server and one port, on which listens a proxy server, and filter them like that. Privoxy is such a server, but is a bit of beast to configure. https://www.privoxy.org/ Businesses such things to stop people from going to non-work related sites. Then just insert/delete that iptables rule that drops everything at a certain time via your cron daemon. Privoxy might even have time-based filters now, but I'm not sure, as I've not checked on that. I just use it for Tor.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.