firewalld howto block internet access for a couple of mac addresses?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
firewalld howto block internet access for a couple of mac addresses?
Hi all
I have two sons who abuse the internet. Myself and my daughter should have permenta access to the internet. I have deleted all acounts of my sons on the many computers we use exept on theit machines, wihich includes handies, tablets etc.
I do not want to go into a good / bad parental discussion here. My scope is to cut them off the internet for good, while they still can access local intranet infrastructure. I would like to give them a certain time say from 16:30 to 18:30, where the can use the internet and I am home, so I can check on their (ab)use of the internet.
We have opensuse leap 15.0 machines throughout. My firewall is based on firewalld. For the time being we have just two zones, external and internal. I do have a dns and dhcp server running. My best guess is to use rules like this :
==========================================================
iptables -N blocked_access
iptables -A blocked_access -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j RETURN
iptables -A blocked_access -m time --timestart 20:00 --timestop 22:00 --weekdays Sun,Mon,Tue,Wed,Thu --syn -j ACCEPT
iptables -A blocked_access -j DROP
===========================================================
why don't you specify static ip addresses?
You may also want to check pi-hole, which will filter sites.
Hi and thanks for your reply. Allow a few questions though:
What do I gain from static ip's? Especially looking at the time window. I believe, I will have a lot of configuration work ahead and probably increased maintenance efforts. I might be able to set fixed ip's in the dhcp server though. but still: what is the benefit of it and how do static ips with some additionla steps solve my problem?
The hint to pi hole is great! So big fat thanks for it. However I cannot see, how I can block the devices of my sons for a defined period and still allowing my daughter and myself unlimited access.
Found here by searching for firewalld block mac address firewalld.org looks to have all the documentation and a couple of fora.
I'm not quickly finding anything about time windows, tho. Perhaps a cron job to open open/close the firewall for the mac addresses at desired times? Just an idea.
[CODE]...Perhaps a cron job to open open/close the firewall for the mac addresses at desired times? Just an idea.
scasey
Thanks for the valuable input. I will try the cron job idea, I think it is great! I'll report back, as I believe I am not alone with my problem.
Greez
chris
While trying to set up the filters proposed, I had off course to collect the various mac addresses of my sons devices. I don't know but that opened another box. There are 2 iphones and 2 androids. These devices seem to change their mac addresses. Researching the cause, I found this. Thus my approach is rendered useless at least for the devices that sport the "randomize-mac-address-feature".
I thought I was back on field one, but maybe might still be really set to field one I guess:
Tracking the macs and their IP's revealed that interestingly enough, the devices got the same IP as they had on last dhcp request. If that was sound, I could use IP-adresses instead of macs. Using a dchpserver, that cannot be steady. So I guess I am really back on field one.
How to proceed from here?
Greez
chris[/QUOTE]
Last edited by cepicier; 11-29-2018 at 07:26 AM.
Reason: typos
, I went to son2's laptop and cols surf the internet as if nothing was done to block it.
I checked the logs:
Quote:
iptables --list | grep MAC
REJECT all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a1 reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a2 reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a3 reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a4 reject-with icmp-port-unreachable
LOG all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a1 LOG level info prefix "block-son1"
LOG all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a2 LOG level info prefix "block-son1"
LOG all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a3 LOG level info prefix "block-son2"
LOG all -- anywhere anywhere MAC aa:aa:aa:aa:aa:aa:aa:a4 LOG level info prefix "block-son2"
So firewalld configured iptables. But no blocking takes effect?
iOS 12 has a new feature, Screen Time, that allows management of on-line time and which apps are allowed...I think. Haven't dug into it. Don't need it here. Might help you tho.
Sean
Thanks for the hint. I'll check the iphone of my younger son for that feature.
The trouble is, I now need to run at several devices, where I could have done it at my gatway / firewall only. I did love that concept much more than buing/configuring stuff on currently 4 different platforms. Really a pita, it does not work as planned using firewalld.
I am giving a try using a raspberry and iptables. But that is another topic and thread then.
Greez
chris
PS: I am sure though, I am not the only one with this problem. So where are the other "victims"?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.