Hello,

I would like to block a computer with a certain IP address to access the Internet..

hope somebody can help me with this.

Also, would be nice but not nesc. if somebody knows how i can make this block for a time range, e.g. with cron like - unblock between 1pm and 4 pm

please also specify where i should put the commands, i.e. firewall.user or the firewall file which awk parses.

(Last edited by confiscated on 22 Dec 2006, 16:33)

Blocking a host by it's IP address is not always a good idea, because IPs can be changed by the user, so it's very easy to get access to services blocked by IP-base... Maybe you could try blocking by the host's MAC address... iptables is the utility you need, but I am not sure if OpenWrt images have the necessary modules compiled in them to allow filtering by MAC-address (they should have... but I'm unsure)
Unfortunately, I don't have the time (and maybe the knowledge) to help you, but I could tell you the basic steps, you need to take:

1, Block the access to the host, using a firewall rule (iptables) in the /etc/firewall.user file
2, Set up a record in the crontab file, which enables access to that host at 1pm - use iptables here, too
3, Set another record, which should run at 4pm every day, use the same command as you used in the firewall.user file

That's all, I think.

Bye!

Yes IP method can be bypassed but for example it's okay to just block my little brother ...

iptables -A input_rule -s 192.168.0.96 -j REJECT

If you want to block on MAC-address, you can also use the 'Static Ip addresses (for DHCP)' to make sure the pc always receives tha same ip address (based on the MAC address). You can find it on the gui under Network - Hosts

This works... However, shouldn't the following line in /etc/config/firewall do the same?

drop:src=192.168.0.96

However, it doesn't seem to work. My little brother still gets out... Or firewall matches only WAN addresses? This is the line that gets generated by x-wrt, but that's besides the point.

Think  you need to specify the interface the filter should be applied to but Im too noob to help ya.
Atm Im trying to make a filter that would only allow access for specified list of MACs that would ignore everything not specified in it.
Some1 hinted ebtables for it so Im reading 250pages of a tutorial so I dont mess up and end without router access
Try reading iptables tutorial/wiki/howtos and you should be able to figure it out by yourself.
Remember you need to restart the firewall script after each change!

it is also peculiar, that when I add a line to firewall.user and restart it - the rules from config/firewall are no longer in effect. For example, if I have accept:dport=22 (to be able to control the router from outside), after I run firewall.user - I can't ssh to the box any more until I come home and re-enable those rules.

So, apparently, firewall.user wipes out firewall rules.

Anyway, back to my question - is it possible disable specific computer from accessing the internet?

Anyone have a solution to share?