I decided to restrict Internet access from my LAN to known IP/MAC pairs only. Primary to block Internet access from my PS3, virtual machines and computers that do not need it. Simplest way to achieve this on Linux: filter packet coming from LAN interface in FORWARD chain.
On OpenWRT custom firewall rules can be defined in /etc/firewall.user. Before creating rules we need some method to create and (easily) maintain IP/MAC pairs. I decided t use /etc/ethers and /etc/hosts that already contains MACs, hostnames nad IPs (used by dnsmasq).
On my router I have /etc/ethers in format:
And /etc/hosts:
The only problem I found is parsing all those information in a simple way (eg. in a one line of sh/awk/perl/whatever script). Perl is not available in default installation of OpenWRT. SH cannot easily handle text files. Finally awk with grep seems to be really simple and efficient:
cmd = 'cat /etc/hosts | grep ' $2 ; cmd | getline ; print $1 ' -j ACCEPT' }'/etc/ethers ;
echo'iptables -A forwarding_rule -i br0 -j DROP')
If you searching to evaluate Openwrt Configure Vpn Client And Pptp Vpn Client For Mac Free price. Greetings, I haven't been using OpenWRT/Kamikaze for very long, but I'm not a linux newbie. I'm having a hard time figuring the right way to change the MAC address of WAN on my WRT-54GL. OpenWrt is a Linux based distribution for embedded systems, with a strong integration of network components. OpenWrt is currently being used in industrial mobile and landline phones, control systems, small robots, sensor networks, home control solutions, VoIP systems, both wired and wireless networks and a whole lot more.
This command (script?) parses /etc/ethers and /etc/hosts and creates firewall rules on standard output:
For example in the following snippet I enabled just the second interface and it gets the Belkin mac address (30:23:03:XX:XX:XX). Root@OpenWrt:# iw dev phy#1 Interface wlan1 ifindex 9 wdev 0x100000001 addr 00:0c:43:XX:XX:XX type managed txpower 6.00 dBm multicast TXQ: qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets 0 0 0 0. I checked out the OpenWrt trunk source. I actually spent the first 6 hours working with the 8.09 branch (as suggested by the compatible hardware list) but found many problems, including lack of DIR-615 profiles, file too big problems and linker errors 'Nonrepresentable section on output'.
Now it is easy to attach it to OpenWRT firewall in /etc/firewall.user. Just after flush rules insert:
(awk'{ printf 'iptables -A forwarding_rule -i br0 -m mac --mac-source ' $1 ' -s ' ;
cmd = 'cat /etc/hosts | grep ' $2 ; cmd | getline ; print $1 ' -j ACCEPT' }'/etc/ethers ;
echo'iptables -A forwarding_rule -i br0 -j DROP')|sh
Note “| sh” at the end of command. This is needed to execute created rules.
Finally reload firewall rules:
Try to access any Internet hosts from allowed and blocked (any not allowed) clients. Than check if it works:
Opened 11 years ago
Closed 11 years ago
Last modified 4 years ago
#1014closedenhancement (fixed)
| Reported by: | Owned by: | developers | |
|---|---|---|---|
| Priority: | normal | Milestone: | Barrier Breaker 14.07 |
| Component: | base system | Version: | |
| Keywords: | Cc: |
Attachments (1)
- config.sh.patch (188 bytes) - added by MMCM11 years ago.
Download all attachments as: .zip
Change History (8)
Changed 11 years ago by MMCM
Openwrt For Acrh17
- Attachmentconfig.sh.patch added
comment:2 Changed 11 years ago by nbd
- Resolution set to fixed
- Status changed from new to closed
comment:3 Changed 11 years ago by MMCM
Openwrt Dhcp
- Resolutionfixed deleted
- Status changed from closed to reopened
comment:5 Changed 11 years ago by MMCM
Openwrt Mac Filter
comment:6 Changed 11 years ago by nbd
- Resolution set to fixed
- Status changed from reopened to closed
comment:7 Changed 4 years ago by jow
Openwrt Mac Address Whitelist
- Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07
Comments are closed.