then issued this command#!/bin/sh
iptables -I FORWARD -m time --timestart 00:30 --timestop 06:00 --kerneltz -o $(nvram get wan0_ifname) -j REJECT
But the rule is not showing up in the output ofservice start_firewall
. Or iptables-save only show rules that are currently in effect (thus not showing when it is outside of the time window specified)?iptables-save | grep time
service restart_firewall
instead.chmod 777 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start
No that's not the case.It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?
does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):service restart_firewall
So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Thu --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Fri --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sat --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A FORWARD -o eth0 -m time --timestart 00:30:00 --timestop 06:00:00 --kerneltz -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Mon --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Tue --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
OK I didn't know you were also using parental controls and time based blocking. There's likely to be some sort of conflict there. I'd have to see the complete unedited output ofdoes make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):
So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.
iptables-save
to offer any more suggestions as my firmware is different from yours.It would definitely be worth trying without parental controls enabled.Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
As far as I can see any parental control restrictions would be applied after your custom script rule.I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.
Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?As far as I can see any parental control restrictions would be applied after your custom script rule.
So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).
Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?
For example:
# Prevent all devices from accessing internet
iptables -I FORWARD -i br0 -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j DROP
#Allow following device through to internet
iptables -A FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx:xx -j ACCEPT
I would imagine order of execution is of some importance here.
Thanks @eibgrad !As written, the ACCEPT rule should be inserted (-I), not appended (-A).
P.S. Also, for internal blocking purposes, I prefer REJECT rather than DROP. The former is more "user friendly". But either will get the job done.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!