Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: deznuts on February 24, 2006, 07:36:04 AM

Title: MAC based internet access on sme7pre1
Post by: deznuts on February 24, 2006, 07:36:04 AM

I know there are atleast 2 other topics dealing with this issue:

http://forums.contribs.org/index.php?topic=20795.msg82034#msg82034

and

http://forums.contribs.org/index.php?topic=21456.0

but they are both dated and dont mention sme7. They also have some discrepancies in the iptables command used to enable and disable the filter.

One topic suggests using:

Quote

/sbin/iptables -I PREROUTING -t nat -j DROP -m mac --mac-source 00:00:00:00:00:00 -p tcp --dport 80

and one topic suggests:

Code: [Select]

/sbin/iptables -t nat -A PREROUTING -m mac --mac-source 00:00:00:00:00:00 -p ALL -j DROP

The only mention or reversing these changes is:

"It will be possible to unblock it. Just use the -D option instead of the -I."

However i dont seee the original -I in either command.

So I have 3 questions.

1: What is the command to filter all internet access from a certain MAC in sme7pre1.

2: Will this filter stick after a reboot?

3: What is the command to reverse this filter?

I also like the idea if a cron job enabling and disabling this filter certain times of day.

Title: MAC based internet access on sme7pre1
Post by: gregswallow on February 25, 2006, 09:34:53 AM

I think -I is insert (at the start), -A is append (to the end) and -D is drop (remove), but iptables --help or man iptables will tell you for sure.  And no, the command won't stick after a reboot - you'd need to add a template fragment for that.

I hope you're not trying to keep a kid off the internet with this.  It is pretty easy to get by :-P

(moving this topic to SME7 Contribs - this is not a feature of SME7)

Title: MAC based internet access on sme7pre1
Post by: Franco on February 26, 2006, 04:59:31 AM

Quote

I hope you're not trying to keep a kid off the internet with this. It is pretty easy to get by Razz

Greg,
Can you suggest a good way of blocking the internet and still allow LAN access? I use custom templates for squid acl blocking by IP.

Quote

(moving this topic to SME7 Contribs - this is not a feature of SME7)

But it would definetelly be a nice feature   :-)

Title: MAC based internet access on sme7pre1
Post by: deznuts on August 10, 2006, 08:07:29 AM

Anything new on this?

I am looking for mac and/or time based restrictions on WAN traffic (not LAN).

I want to avoid having to use a proxy setting becasue it can easily be bypassed.

I would settle for dns whitelist functionality.

PS - I have updated to the latest 7.0 release using yum update and yum upgrade.