I am attempting to block connection to a specific BSSID. My friend's son has been getting around the access restrictions I set for the family on my friend's behalf (I have Tomato running on his Linksys), and his son has access to the neighbour's wifi. I want to be able to block the connection to this wifi. I am experimenting with this at home by trying to block my phone from accessing my router. I tried this IP table first:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

(of course, the 00:00:00:00:00:00 represents the actual MAC address which I am not posting here; and I used all caps for the address)

I still had access to the internet.

I also tried:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

Still had access. Though this is not ideal (because the public IP is dynamic and I have no access to the neighbour's router to add a dynamic dns address to implement this should I go this route), I then tried my public IP address:

$IPTABLES -I INPUT -s 11.222.33.44 -j DROP

I still had access to the internet through my router. So I tried this iptable for the fun of it:

$IPTABLES -I INPUT -s 11.222.33.44 -j REJECT

I could still access the internet. Is it even possible to do what I'm trying to do?

P.S. - My phone, as well as my friend's son's phone is rooted.

I figured things out. For one, after I added the iptable rule, I needed to REBOOT my phone for it to apply (which I wasn't doing). Secondly, I needed to use the LAN Mac Address (NOT the BSSID/Wireless MAC address) in order for the iptable rule to work.

Secondly, I downloaded AFWall+. It allowed me to set it as administrator to prevent uninstallation. The only thing missing is that the developer needs to password protect removing the app as administrator.

Then I downloaded Android Terminal Emulator. In order to find the LAN MAC address for the connection that I am looking to block, I typed this into the emulator:

arp -n

Then I used the MAC address that was given in the terminal and put that into this rule here to be place in "custom scripts" in the firewall:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

The *order* of iptables rules is absolutely crucial.

So we can't say whether your DROP/REJECT rule is useful, without seeing the output of "iptables-save", to see whether an earlier ACCEPT takes precedence

I'm really not sure what you mean. How would I see the output? You mean if I look at the firewall rules? Either way, it works. I'm blocked off the internet. But I later thought of something better. I was so concerned with my friend's son accessing the neighbour's wifi, that I neglected to think about the fact that I could use iptables to set time restrictions on his own phone. So I can set it so it would boot him off at 11:30pm every night whether he's at home (and trying to use the neighbour's wifi), on vacation, at a friend's house for a sleepover, travelling, etc.

Here is the code I used:

At first when I was testing it, it wasn't working (I even rebooted my phone). Then I decided to open Android Terminal Emulator and type:

The time was showing in GMT! Even though the time was set to my own timezone in the Android settings, in reality the iptables was using GMT (I guess all Androids use GMT 'internally' no matter the settings?).

So I had to add four hours to the time in my iptable rule to compensate (I'm Atlantic Time in Canada). Worked like a charm.