Topic: Restrict Internet access by MAC address

[Rob Saw]

First off, apologies if this has been covered before, I have searched and found nothing.

I have a simple home install of E-smith 5.6 acting as a file server, mail server and gateway for 3 client PCs. With exam time coming up soon, I would like to be able to allow one PC to only access the net at limited times.

My brother is a crafty type, so may well think to change his IP address, but the MAC address is something I doubt he will even consider.

Is there a way I can set up E-smith to block his access based on the MAC address of his PC. Could I then schedule a job to allow access at only the permitted times?

Many thanks in advance.

Rob

[CH Cheah]

You should be able to block by MAC since you're using SME 5.6 which uses
IP Tables. Try this

iptables -I PREROUTING -t nat -j DROP --mac-source 00:90:26:CB:4E:56 -p tcp --dport 80

assuming 00:90:26:CB:4E:56 is your MAC address. It'll block out at least the surfing
part.

[Rob Saw]

Thanks for that

Sounds good, and a bit of reading around says that dport will accept a range of ports, so I can block pretty much every port.

Sorry again if this is easy, but I really can't work it out. tried running the command and was told that --mac source was not valid.

Looked into it a bit and it appears that mac source is an extension of iptables... just can't see how to add the extension

TIA

[CH Cheah]

Rob, I have missed out the '-m mac' portion

/sbin/iptables -I PREROUTING -t nat -j DROP -m mac --mac-source 00:90:26:CB:4E:56 -p tcp --dport 80

[Rob Saw]

D'oh! I even looked at pages which gave me the context!

Works Great.

Many thanks, and while my brother won't thank either you or I right now, Wait a few years till he is a doctor driving a Mercedes etc. etc.

Thanks Again!