How to disconnect local pc from wifi?

[No1Viking]

Hi all!

I would like to make sure that some computers, within the LAN, will get disconnected from the wifi at a certain point of time. When I set the Parental Controls the computer is still connected to the services that is currently used. So, for example, when my kid is playing a game and the router should block it it's still possible to continue to play the game online, even if the parental control is active.

I tried this with a cron job that reboots the router to solve this but it affects all the other wifi connections.

Is there a possibility to do this in a better way?

Best Regards

Michael

 

[coldwizard]

If you ssh to the router, and display the iptables FORWARD with

iptables -nvL FORWARD

you will see a line near the beginning like

ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

which for performance reasons is there to accept already established connections.

What you need to do is put in 2 rules before that line to drop your kids machine.

# start and stop times
niteMACtime=22:00
mornMACtime=05:59

# for each machine restricted (change line below to mac address of kids machine) 
MaC=12:34:56:78:9a:bc
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime --timestop 23:59 -m mac --mac-source $MaC -j DROP
iptables -I FORWARD 2 -m state --state RELATED,ESTABLISHED -m time --timestart 00:01 --timestop $mornMACtime -m mac --mac-source $MaC -j DROP

Be aware I have not tested this, but it is my best guess.
The machines will still be connected to the wifi, but not have an internet connection. They may be still able to print to a local printer or access a local shared drive on the local network?
Once you confirm it works, put the code into a /jffs/scripts/firewall-start script with a #!/bin/sh first line and it will be done on reboot of router.

 

[ColinTaylor]

Your request sounds similar to this thread.

http://forums.smallnetbuilder.com/showthread.php?t=20276

 

[No1Viking]

Will ongoing connections close with the solution presented above?

Michael

 

[ColinTaylor]

Will ongoing connections close with the solution presented above?

If you're referring to the link I posted then Yes I believe it will. But you'd have to test it to be sure.

 

[No1Viking]

My son looked at a youtube movie when the firewall kicked in. Unfortunately the connection was still alive and was not closed.

Any ideas?

Michael

 

[coldwizard]

My son looked at a youtube movie when the firewall kicked in. Unfortunately the connection was still alive and was not closed.

Any ideas?

Michael

I tried to post this yesterday, but this site was having problems

Will ongoing connections close with the solution presented above?

Michael

A qualified yes for the mac solution I presented. The computer will not be able to answer anything for the existing connections. This means that if the user is playing a multiuser game, they will lose the ability to control their own player, but will still watch other players move.

The solution presented by ColinTaylor's thread uses the IP address in the same way (source IP address). I should note that on post#26 of that thread, the output from the "ptables-save | grep FORWARD" command shows that the rule "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" comes BEFORE the timed rules and this allows existing connections to continue.

Misc comments and ideas

With a local address in the rule, the "-i br0" is redundant, unless you expect address spoofing, so can be ommitted.

The FORWARD table is used for traffic going through the router to/from the Internet with few exceptions, so the "-o eth0" can be omitted and then the rule will apply to any output device.

The "-p tcp" restricts the rule to only tcp traffic, but many games use UDP for the smaller overhead, so that should be omitted to apply to all protocols

I like the idea of just timestart and timestop, letting the other default

The "--days Xxx" if omitted means every day, resulting in fewer rules. Even if you want groups of days to be the same, you could use "--days Mon,Tue,Wed,Thu,Fri" with commas to reduce the rule count.

The IP address method is unlikely to work for IP version 6 (IPV6) as clients get multiple IPV6 addresses dynamically assigned.

If I were to use IP address as well (both methods can be used), I would add additional rules with "-s" (source) replaced by "-d" (destination) with would stop traffic both ways.

So my code would become (note I used 1 on all inserts to stress that these rules must be first and order does not matter)

# start and stop times
niteMACtime=22:00
mornMACtime=05:59

# for each machine restricted (change lines below to mac address and IP address of the kids machine) 
MaC=12:34:56:78:9a:bc
StaticIP=192.168.1.102

iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime -m mac --mac-source $MaC -j DROP
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime -m mac --mac-source $MaC -j DROP
iptables -I FORWARD 1 -s $StaticIP -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime -j DROP
iptables -I FORWARD 1 -s $StaticIP -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime -j DROP
iptables -I FORWARD 1 -d $StaticIP -m time --timestart $niteMACtime -j DROP
iptables -I FORWARD 1 -d $StaticIP -m time --timestop $mornMACtime -j DROP

 

[No1Viking]

Thanks coldwizard!

I have SSH access to the router, so that is ok.

Do you have a guide, somewhere, how to implement this script in to the router?

Thanks in advance.

Michael

 

[coldwizard]

Thanks coldwizard!

I have SSH access to the router, so that is ok.

Do you have a guide, somewhere, how to implement this script in to the router?

Thanks in advance.

Michael

The commands I gave can be executed from the command line for testing.

Two other commands you might find useful while testing are

To list the FORWARD table with line numbers use
iptables -nvL FORWARD --lin

To delete rule number nn use
iptables -D FORWARD nn
(example to delete line 1 , "iptables -D FORWARD 1")
Remember the rules renumber after each deletion, so if deleting multiple rules, either predict where the renumbers happens, or list the table each time.

Once you confirm it works, put the commands into a /jffs/scripts/firewall-start script file with a #!/bin/sh as the first line and it will be done on reboot of router.

Follow this link, there is a section on usage which should help you

https://github.com/RMerl/asuswrt-merlin/wiki

I use vi to edit files on the router, and putty as my ssh client on the laptop.

The current list of available user scripts for merlins firmware can be found in merlin's readme.txt file that is available on the same site you downloaded the firmware from.

I have company coming in today, so unlikely to do much on this site until January. I am sure others can help you with implenentation. Have a good holiday.

 

[No1Viking]

Wonderful!

It works perfectly. Thank you!

Now I have a question related to this.
Is it possible to add more mac-addresses and IP-addresses in the script and, if so, how do I do it?

Michael

 

[No1Viking]

I am not sure I did this the smartest way but I hope it works.
The reason I want to block two machines is because my son has got 1 PC and 1 smartphone.

In anyone comes up with a better solutions I am all ears!

#!/bin/sh

# start and stop times Machine 1
niteMACtime_1=18:05
mornMACtime_1=08:59

# start and stop times Machine 2
niteMACtime_2=18:05
mornMACtime_2=08:59

# for each machine restricted (change lines below to mac address and IP address of the kids machine)
MaC_1=
StaticIP_1=

MaC_2=
StaticIP_2=

# iptables rules Machine 1
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime_1 -m mac --mac-source $MaC_1 -j DROP
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime_1 -m mac --mac-source $MaC_1 -j DROP
iptables -I FORWARD 1 -s $StaticIP_1 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime_1 -j DROP
iptables -I FORWARD 1 -s $StaticIP_1 -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime_1 -j DROP
iptables -I FORWARD 1 -d $StaticIP_1 -m time --timestart $niteMACtime_1 -j DROP
iptables -I FORWARD 1 -d $StaticIP_1 -m time --timestop $mornMACtime_1 -j DROP

# iptables rules Machine 2
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime_2 -m mac --mac-source $MaC_2 -j DROP
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime_2 -m mac --mac-source $MaC_2 -j DROP
iptables -I FORWARD 1 -s $StaticIP_2 -m state --state RELATED,ESTABLISHED -m time --timestart $niteMACtime_2 -j DROP
iptables -I FORWARD 1 -s $StaticIP_2 -m state --state RELATED,ESTABLISHED -m time --timestop $mornMACtime_2 -j DROP
iptables -I FORWARD 1 -d $StaticIP_2 -m time --timestart $niteMACtime_2 -j DROP
iptables -I FORWARD 1 -d $StaticIP_2 -m time --timestop $mornMACtime_2 -j DROP

Michael

 

[coldwizard]

Script to terminate any access to the Internet including stopping existing connections.

This script should be better for performance than the original script. It only has 2 or 4 rules before the "RELATED,ESTABLISHED" rule to check during the day. It also handles school days and weekends with different times.

Remember to edit the script to replace my examples for time, IP address list and mac address list.
Do a "chmod 750 time-restrict-by-ip.sh" to make the file executable and remove the world write permission.

You may find the following commands useful while testing

List the iptables chains by
iptables -nvL FORWARD --lin
iptables -nvL dropkids --lin

To delete the first rule in the FORWARD chain
iptables -D FORWARD 1
Remember that the rules get renumbered after each delete, so list the table just before you delete a rule.
All the rules in the chain dropkids get flushed (deleted) by the script before adding the rules, so no need to delete of it's rules.

Until you copy the file into place in /jffs/scripts/firewall-start, you can reboot the router, and your changes will be undone.

Once tested, copy to file to /jffs/scripts/firewall-start script and it will last over a reboot.

[EDIT to add fix]
Found problem the router we have is too good! It is optimizing a streaming connection.
What you need to do is disable NAT Acceleration under "LAN" then tab "Switch Control".

Then if you check under "tools" it should say HW acceleration is Disabled (by user)
Reboot and it now works as expected.

This post talks about performance hit of turning off acceleration.

http://forums.smallnetbuilder.com/showpost.php?p=63184&postcount=21


Following code is also in attached zip

#!/bin/sh
# uncomment next line to see commands as they are read from this file
# set -v
# uncomment next line to see commands as they are executed
# set -x
#
# this script is to turn off machines Internet access by IP address at night
# it will break existing connections.
# if the kid is smart enough to change IP address, the mac address will prevent controlling an existing connection
# IP version 6 is not addressed here
#  
# start and stop times for school days (hh:mm)
SchoolNiteTime=21:00
SchoolMornTime=06:59
# comma delimit list of school days
SchoolDays="Mon,Tue,Wed,Thu,Fri,Sat,Sun"
#
# start and stop times for non school days
WeekendNiteTime=23:00
WeekendMornTime=05:59
# comma delimit list of non school days ("" means not used )
# if a day is not in either SchoolDays or WeekendDays list, then no restriction on the missing day
WeekendDays=""
#
# Change line below to the space delimited list of IP addresses of the kids machines 
StaticIPList="192.168.1.101 192.168.1.102"
#
# the mac restriction does not totally break connections, 
# but prevents kid who change IP address from starting new connections.
# Change line below the space delimited list of mac address of the kids machines ("" means not used )
MaCList="12:34:56:78:9a:bc"

# define a user chain and fill with rules
iptables -N dropkids
iptables -F dropkids
# first by MaCList
for MaC in $MaCList 
do
  iptables -I dropkids 1 -m mac --mac-source $MaC -j DROP
done
# then the StaticIPList
for StaticIP in $StaticIPList
do
  iptables -I dropkids 1 -s $StaticIP -j DROP
  iptables -I dropkids 1 -d $StaticIP -j DROP
done
#
iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --days $SchoolDays -j dropkids
iptables -I FORWARD 1 -m time --timestop  $SchoolMornTime --days $SchoolDays -j dropkids
# optional Weekend restriction
if test "x$WeekendDays" != "x"
then
  iptables -I FORWARD 1 -m time --timestart $WeekendNiteTime --days $WeekendDays -j dropkids
  iptables -I FORWARD 1 -m time --timestop  $WeekendMornTime --days $WeekendDays -j dropkids
fi

 

[No1Viking]

Thank you for the script, it seems easier to use.

I will test this and see what happens.

Best regards

Michael

 

[No1Viking]

Hello

This does not seem to end the ongoing connections. Tried it for two days now. I will enclose the script that I use and the firewall result based of the script.

Help!!!

Michael

admin@RT-N66U-7470:/tmp/home/root# cat /jffs/scripts/firewall-start
#!/bin/sh
# uncomment next line to see commands as they are read from this file
set -v
# uncomment next line to see commands as they are executed
set -x
#
# this script is to turn off machines Internet access by IP address at night
# it will break existing connections.
# if the kid is smart enough to change IP address, the mac address will prevent controlling an existing connection
# IP version 6 is not addressed here
#
# start and stop times for school days (hh:mm)
SchoolNiteTime=21:00
SchoolMornTime=08:59
# comma delimit list of school days
SchoolDays="Mon,Tue,Wed,Thu,Fri,Sat,Sun"
#
# start and stop times for non school days
WeekendNiteTime=21:00
WeekendMornTime=08:59
# comma delimit list of non school days ("" means not used )
# if a day is not in either SchoolDays or WeekendDays list, then no restriction on the missing day
WeekendDays=""
#
# Change line below to the space delimited list of IP addresses of the kids machines
StaticIPList="192.168.1.37 192.168.1.210"
#
# the mac restriction does not totally break connections,
# but prevents kid who change IP address from starting new connections.
# Change line below the space delimited list of mac address of the kids machines ("" means not used )
MaCList="40:F0:2F:83:46:BB 34:31:11:A0:5B:E4"
#
# define a user chain and fill with rules
iptables -N dropkids
iptables -F dropkids
# first by MaCList
for MaC in $MaCList
do
iptables -I dropkids 1 -m mac --mac-source $MaC -j DROP
done
# then the StaticIPList
for StaticIP in $StaticIPList
do
iptables -I dropkids 1 -s $StaticIP -j DROP
iptables -I dropkids 1 -d $StaticIP -j DROP
done
#
iptables -I FORWARD 1 -m time --timestart $SchoolNiteTime --days $SchoolDays -j dropkids
iptables -I FORWARD 1 -m time --timestop $SchoolMornTime --days $SchoolDays -j dropkids
# optional Weekend restriction
if test "x$WeekendDays" != "x"
then
iptables -I FORWARD 1 -m time --timestart $WeekendNiteTime --days $WeekendDays -j dropkids
iptables -I FORWARD 1 -m time --timestop $WeekendMornTime --days $WeekendDays -j dropkids
fi

admin@RT-N66U-7470:/jffs/scripts# iptables -nvL dropkids --lin
Chain dropkids (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 192.168.1.210
2 0 0 DROP all -- * * 192.168.1.210 0.0.0.0/0
3 0 0 DROP all -- * * 0.0.0.0/0 192.168.1.37
4 0 0 DROP all -- * * 192.168.1.37 0.0.0.0/0
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 34:31:11:A0:5B:E4
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 40:F0:2F:83:46:BB

admin@RT-N66U-7470:/jffs/scripts# iptables -nvL FORWARD --lin
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 dropkids all -- * * 0.0.0.0/0 0.0.0.0/0 TIME to 8:59 on all days
2 385 24331 dropkids all -- * * 0.0.0.0/0 0.0.0.0/0 TIME from 21:0 on all days
3 291 16581 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
5 10 520 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
6 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
7 0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
8 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
9 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
10 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
11 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
12 84 7230 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

 

[No1Viking]

Bumping this to get help.
See previous post.

Michael

 

[coldwizard]

Quick change from saying its working perfectly to not working!

The rule in the FORWARD table, starting "2 385 24331 dropkids" tells me that there were 385 packets that were sent the table dropkids for checking.
The rules in the table dropkids all have 0 packets matched, so those IP addresses were not used in the checked connections.

Anyway, some ideas.

1) Kids computers are connecting a different way. Wifi 2.4Ghz, wifi 5Ghz and Wired connections all use different MAC addresses get a different IP.

2) Kids are smart and have changed their IP address.

3) Do you have IP version 6 that they could be using?

If you look on the router, under "system log" you will find a tab "connections" and then "refresh" on that page will tell you what IP addresses are currently used. If some do not match the DHCP leases, then your kids are using idea (2) above. Only sure way to stop that is to physically lock up the devices at bed time, since they are probably also playing offline games too! A laptop under the covers to hide the screen glow is a fire hazard since air vents for cooling are likely blocked.

 

[No1Viking]

OK

I am 100% sure that my son were online when the script kicked in.

Will try again...
Disabled IPv6 in the router

Will double check IP- and MAC-addresses, insert the data in the script and rerun it. Lets see what happens tonight.

Michael

 

[coldwizard]

OK, now guests have left, I have installed same script on my machine.
Let you know what I find with testing.

Skype works even after time to block! ....

Found problem the router we have is too good! It is optimizing a streaming connection.
What you need to do is disable NAT Acceleration under "LAN" then tab "Switch Control".

Then if you check under "tools" it should say HW acceleration is Disabled (by user)
Reboot and it now works as expected.

 

[No1Viking]

OK, now guests have left, I have installed same script on my machine.
Let you know what I find with testing.

Skype works even after time to block! ....

Found problem the router we have is too good! It is optimizing a streaming connection.
What you need to do is disable NAT Acceleration under "LAN" then tab "Switch Control".

Then if you check under "tools" it should say HW acceleration is Disabled (by user)
Reboot and it now works as expected.

Yeah, and all other ongoing connections, like Mindcraft etc too. I changed the setting and are testing this tonight!

Thanks

Michael

 

[No1Viking]

Yes!

That was the issue. Now it works 100%
Thank you!

Michael