What's new

Disable internet access via command line

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@ColinTaylor Should /jffs/scripts/firewall-start be triggered by firewall start? I edited this file with the following contents
#!/bin/sh
iptables -I FORWARD -m time --timestart 00:30 --timestop 06:00 --kerneltz -o $(nvram get wan0_ifname) -j REJECT
then issued this command
service start_firewall
But the rule is not showing up in the output of
iptables-save | grep time
. Or iptables-save only show rules that are currently in effect (thus not showing when it is outside of the time window specified)?

It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?
 
Try service restart_firewall instead.

If it still doesn't show anything do the following:
Code:
chmod 777 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start


It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?
No that's not the case.
 
Last edited:
service restart_firewall
does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Thu --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Fri --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sat --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A FORWARD -o eth0 -m time --timestart 00:30:00 --timestop 06:00:00 --kerneltz -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Mon --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Tue --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.
 
does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):

So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.
OK I didn't know you were also using parental controls and time based blocking. There's likely to be some sort of conflict there. I'd have to see the complete unedited output of iptables-save to offer any more suggestions as my firmware is different from yours.
 
Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
@ColinTaylor I will PM you the unedited complete iptables-save output. Would appreciate if you can help take a look.
 
Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
It would definitely be worth trying without parental controls enabled.
 
It turns out that it works as expected after turning off parental control and keyword filtering. It would be interesting and helpful to understand how does parental control and keyword filtering interfering with the script configured iptables rule for blocking WAN access for a specified time period.
 
I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.
 
I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.
As far as I can see any parental control restrictions would be applied after your custom script rule.

So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).
 
As far as I can see any parental control restrictions would be applied after your custom script rule.

So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).
Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?

For example:
# Prevent all devices from accessing internet
iptables -I FORWARD -i br0 -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j DROP

#Allow following device through to internet
iptables -A FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx:xx -j ACCEPT

I would imagine order of execution is of some importance here.
 
Any advice as to blocking every device from accessing the internet during a specific time period and then letting a trusted subset through using IPTABLES?

For example:
# Prevent all devices from accessing internet
iptables -I FORWARD -i br0 -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j DROP

#Allow following device through to internet
iptables -A FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx:xx -j ACCEPT

I would imagine order of execution is of some importance here.

As written, the ACCEPT rule should be inserted (-I), not appended (-A).

P.S. Also, for internal blocking purposes, I prefer REJECT rather than DROP. The former is more "user friendly". But either will get the job done.
 
Last edited:
As written, the ACCEPT rule should be inserted (-I), not appended (-A).

P.S. Also, for internal blocking purposes, I prefer REJECT rather than DROP. The former is more "user friendly". But either will get the job done.
Thanks @eibgrad !
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top