Disable internet access via command line

[itpp20]

Yes it will, you can specify single or ranges or all.

 

[threemonks]

@ColinTaylor Should /jffs/scripts/firewall-start be triggered by firewall start? I edited this file with the following contents

#!/bin/sh
iptables -I FORWARD -m time --timestart 00:30 --timestop 06:00 --kerneltz -o $(nvram get wan0_ifname) -j REJECT

then issued this command

service start_firewall

But the rule is not showing up in the output of

iptables-save | grep time

. Or iptables-save only show rules that are currently in effect (thus not showing when it is outside of the time window specified)?

It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?

 

[ColinTaylor]

Try service restart_firewall instead.

If it still doesn't show anything do the following:

chmod 777 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start

It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?

No that's not the case.

 

[threemonks]

service restart_firewall

does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):

-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Thu --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Fri --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sat --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A FORWARD -o eth0 -m time --timestart 00:30:00 --timestop 06:00:00 --kerneltz -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Mon --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Tue --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls

So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.

 

[ColinTaylor]

does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):

So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.

OK I didn't know you were also using parental controls and time based blocking. There's likely to be some sort of conflict there. I'd have to see the complete unedited output of iptables-save to offer any more suggestions as my firmware is different from yours.

 

[threemonks]

Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
@ColinTaylor I will PM you the unedited complete iptables-save output. Would appreciate if you can help take a look.

 

[ColinTaylor]

Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?

It would definitely be worth trying without parental controls enabled.

 

[threemonks]

It turns out that it works as expected after turning off parental control and keyword filtering. It would be interesting and helpful to understand how does parental control and keyword filtering interfering with the script configured iptables rule for blocking WAN access for a specified time period.

 

[threemonks]

I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.

 

[ColinTaylor]

I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.

As far as I can see any parental control restrictions would be applied after your custom script rule.

So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).

 

[Digimite]

As far as I can see any parental control restrictions would be applied after your custom script rule.

So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).

Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?

For example:
# Prevent all devices from accessing internet
iptables -I FORWARD -i br0 -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j DROP

#Allow following device through to internet
iptables -A FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx:xx -j ACCEPT

I would imagine order of execution is of some importance here.

 

[eibgrad]

Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?

For example:
# Prevent all devices from accessing internet
iptables -I FORWARD -i br0 -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j DROP

#Allow following device through to internet
iptables -A FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx:xx -j ACCEPT

I would imagine order of execution is of some importance here.

As written, the ACCEPT rule should be inserted (-I), not appended (-A).

P.S. Also, for internal blocking purposes, I prefer REJECT rather than DROP. The former is more "user friendly". But either will get the job done.

 

[Digimite]

As written, the ACCEPT rule should be inserted (-I), not appended (-A).

P.S. Also, for internal blocking purposes, I prefer REJECT rather than DROP. The former is more "user friendly". But either will get the job done.

Thanks @eibgrad !