Please help how to use iptables to deny acccess to Internet from some LAN PC by
1. MAC Address
2. IP Address
3. Deny specific service such Yahoo messages, Bittorrent
4. Deny access base by time schedule

Which features were  in the Access Restriction from Original LINKSYS Firmware, DD-WRT, HyperWRT
I am using PPPOE in the WAN interface

I have try command

iptables -A OUTPUT -s 192.168.1.100 -j DROP

But the PC with IP 192.168.1.100 still able to connect to Internet

Thank you
TuanND from VIETNAM

Rather than try and explain a complex topic to you via the forums, the best option for you is to read the IPTables Tutorial.

Get it here: http://www.iptables.org/documentation/i … tion-howto

Kaldek

Could you please just give one sample to deny Internet access from 192.168.1.100
(The LAN access Internet via NAT through WAN Port PPPOE protocol)

I have tried to read iptables Tutorial but still confused

Thank you
TuanND from VIETNAM

TuanND,

The wrt54g is doing routing when accessing the wan pppoe from lan. It takes packets from the 192.168.1.0 subnet to the wan interface. Your internet access provider has assigned to wan an IP address on another, provider proprietary, subnet.

The INPUT iptables chain is traversed when accessing the wrt54g itself and/or the other lan and/or the bridged wireless.

To influence the routing you should introduce commands in the FORWARD iptables chain, as the box itself does nothing with the packets but just forwards them to the wan net.
This explains why the INPUT chain command you issued does nothing in this case. The packets do not pass INPUT because the sending PC on the LAN has given the packets a destination address on the wan (internet). Iptables sees this and decides to FORWARD as the destination is clearly the internet and not the wrt box or a destination on the lan subnet.

rgds
doddel

(Last edited by doddel on 28 Sep 2005, 23:37)

I am at work and can not test this example for you, but I think you are looking for something like this to be added to your /etc/firewall.user file, under the section labelled Port Forwarding.

iptables -A forwarding_rule -i $LAN -s 192.168.1.100 -o $WAN --mac-source xx:xx:xx:xx:xx:xx -j DROP

Hope you can use 'vi'.  If you want to test this rule manually before editing firewall.user. Just type the above line in replacing $LAN with LAN interface name (nvram show |grep lan_ifname) and the same with $WAN.  Manually testing first is the safest way as a reboot will restore the iptables back to orginal if there is a mistake.

Hope this helps, if the --mac-source returns an error you may need to install the iptables-extra plugin, like I said before I can not test this for you at the moment.

EDIT:

Just a thought, I better tell you what the line is doing -A forwarding_rule (add a rule to the forwarding_rule table (created by the /etc/init.d/S45firewall script))  -i (input interface) -s (source IP) -o (output interface) --mac-source (match extention (does the rule if MAC is matched)) -j DROP (jump to DROP and move to next packet).  You can remove the --mac-source option if you want the rule to match anything that comes from the LAN interface with an IP of 192.168.1.100 regardless of MAC address. Or you can keep the -mac-source match-extention and remove the -s 192.168.1.100 option if you want to match to the MAC address only regardless of IP address (be carefull of this as it may stop all LAN to WAN traffic if the --mac-source extention isn't included in the iptable package installed on the router).

(Last edited by zaphod on 2 Oct 2005, 00:09)

this works as promised (needed to block tivo from phoning home, tivo is assigned 192.168.1.104, iptables 1.3.3, whiterussian rc4, code added to stock /etc/firewall.user):

iptables -A forwarding_rule -i $LAN -s 192.168.1.104 -o $WAN -j DROP

allows access within LAN, but restricts access to WAN.

-b