[SOLVED] AFWall+ iptables help


 
Thread Tools Search this Thread
Special Forums IP Networking [SOLVED] AFWall+ iptables help
# 1  
Old 02-27-2014
[SOLVED] AFWall+ iptables help

I am attempting to block connection to a specific BSSID. My friend's son has been getting around the access restrictions I set for the family on my friend's behalf (I have Tomato running on his Linksys), and his son has access to the neighbour's wifi. I want to be able to block the connection to this wifi. I am experimenting with this at home by trying to block my phone from accessing my router. I tried this IP table first:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

(of course, the 00:00:00:00:00:00 represents the actual MAC address which I am not posting here; and I used all caps for the address)

I still had access to the internet.

I also tried:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

Still had access. Though this is not ideal (because the public IP is dynamic and I have no access to the neighbour's router to add a dynamic dns address to implement this should I go this route), I then tried my public IP address:

$IPTABLES -I INPUT -s 11.222.33.44 -j DROP

I still had access to the internet through my router. So I tried this iptable for the fun of it:

$IPTABLES -I INPUT -s 11.222.33.44 -j REJECT

I could still access the internet. Is it even possible to do what I'm trying to do?

P.S. - My phone, as well as my friend's son's phone is rooted.

Last edited by 3happypenguins; 02-27-2014 at 11:55 AM.. Reason: code tags
# 2  
Old 02-27-2014
This is what I use on our routers, which are oldish PC's running Linux, to block a particular customer's MAC from our WAN:

Code:
# Block local traffic
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
# Block routed traffic
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP

Your current firewall configuration may be relevant. If there's a -j ACCEPT rule which matches before these rules, these will be skipped. IOW, these rules should come early.

It requires NETFILTER_XT_MATCH_MAC to be selected in your kernel. If it's compiled as a module, it must be loaded. It seems to fail silently otherwise, for some reason, which is weird since most other failures like this scream bloody murder.

Phones being rooted shouldn't make a difference since what you're configuring is your router, yes?

Last edited by Corona688; 02-27-2014 at 12:25 PM..
# 3  
Old 02-27-2014
Quote:
Phones being rooted shouldn't make a difference since what you're configuring is your router, yes?
No. I have no access to the router that I am trying to block. I am trying to force my friend's son to use his router at home. What he is doing is disconnecting from the home router (which has access restrictions) and connecting to his neighbour's router (which does not) so he can be on his phone in the middle of the night with no blocks or filters (aka, porn).

I downloaded AFWall+ (a firewall app) on Android and I am attempting to put in some iptables that will block the phone from accessing the router based on the router's BSSID. I can find the neighbour's BSSID easily by going to Tools > Wireless Survey in the home router.

So in short, I want to put the iptables in the PHONE (via AFWall+) to block the phone from being able to access the neighbour's router.
# 4  
Old 02-27-2014
Well, the same principle ought to work on the client side, but if you're doing this in Android, you have a whole lot less control. It seems doubtful your manufacturer would have bothered including firewall functionality in the kernel.

You could ask your neighbor to change their password Smilie
# 5  
Old 02-27-2014
This is what the firewall rules look like (obviously changing any of my personal addresses)... yet, I still have internet access:

Code:
==========
IPv4 Rules
==========

Chain INPUT (policy ACCEPT 451 packets, 306K bytes)
pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 00:0A:00:0A:00:0A reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 00:0A:00:0A:00:0A reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
Chain OUTPUT (policy ACCEPT 459 packets, 86649 bytes)
pkts bytes target     prot opt in     out     source               destination        
  459 86649 afwall     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall (1 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi  all  --  *      eth+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      wlan+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      tiwlan+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      ra+     0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      bnep+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rmnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      pdp+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      uwbr+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      wimax+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      vsnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rmnet_sdio+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      ccmni+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      qmi+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      svnet0+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      wwan+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      cdma_rmnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      usb+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rment_usb+  0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g (13 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-postcustom  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-fork (2 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-home  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-home (1 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-3g-postcustom (1 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-roam (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-3g-tether (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-reject (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
Chain afwall-vpn (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-wifi (5 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-postcustom  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-fork (2 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-lan (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-wifi-postcustom (1 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-tether (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-wifi-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-wan (1 references)
pkts bytes target     prot opt in     out     source               destination        

==================
Network interfaces
==================

eth0: wifi
ip6tnl0: unknown
sit0: unknown
usb0: 3G
gannet0: unknown
dummy0: unknown
lo: unknown

========
ifconfig
========

dummy0    Link encap:Ethernet  HWaddr AA:00:0A:A0:A0:A0 
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
eth0      Link encap:Ethernet  HWaddr 0A:00:0A:AA:00:AA 
          inet addr:192.168.1.22  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: aa00::a00:0aaa:aaaa:00aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:83464 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:96070720 (91.6 MiB)  TX bytes:7081597 (6.7 MiB)
gannet0   Link encap:Ethernet  HWaddr A0:00:00:A0:0A:00 
          BROADCAST NOARP MULTICAST  MTU:1000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          NOARP  MTU:1460  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:578 errors:0 dropped:0 overruns:0 frame:0
          TX packets:578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:62031 (60.5 KiB)  TX bytes:62031 (60.5 KiB)
sit0      Link encap:IPv6-in-IPv4 
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
usb0      Link encap:Ethernet  HWaddr 0A:00:0A:00:0A:00 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

===========
System info
===========

Android version: 2.3.6
Manufacturer: samsung
Model: SGH-T679
Build: GINGERBREAD.UVLG3
Active interface: wifi
Tether status: no
Roam status: no
IPv4 subnet: 192.168.1.22/24
IPv6 subnet:
/system/bin/su: 380532 bytes
/system/xbin/su: 380532 bytes
/system/app/Superuser.apk: 1468798 bytes
Superuser: com.noshufou.android.su v3.1.3

===========
Preferences
===========

appVersion: 152

======
Logcat
======

11:51:29 Starting root shell...
11:51:29 [libsuperuser] [SU%] START
11:51:33 Root shell is open
11:51:44 isWifiApEnabled is false

ENTER PROBLEM DESCRIPTION HERE:

# 6  
Old 02-27-2014
You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD.

Do you have the required things compiled for your kernel?

Code:
modprobe config # May not be needed
zcat /proc/config.gz | awk '/CONFIG_NETFILTER_XT_MATCH_MAC/'

# 7  
Old 02-27-2014
Quote:
Originally Posted by Corona688
You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD.

Do you have the required things compiled for your kernel?

Code:
modprobe config # May not be needed
zcat /proc/config.gz | awk '/CONFIG_NETFILTER_XT_MATCH_MAC/'

Can you further elaborate? In AFWall+, I navigate to 'Set Custom Script', then I enter
Code:
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

I choose 'OK'. Then I go to the menu again, and choose 'Enable Firewall.' It says the rules are applied successfully. I go to an app, and I still have access to the internet.

I don't understand what you mean when you say "You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD."

I also don't understand what you mean when you say, "Do you have the required things compiled for your kernel?" Am I supposed to copy and paste the code you gave somewhere? If so, where? I am just using an app. I'm not using a command line.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

[Solved] Tru64 vm

Hi, One of our old Digital Alpha Server has died (CPU Failure). I want to recover a file from that server. Backups were done via Networker, however, cross platform recovery is not supported and I don't have any other TRU64 server available. Is there a VM or Emulator available which can get... (1 Reply)
Discussion started by: Mack1982
1 Replies

2. Shell Programming and Scripting

[Solved] For loop help

Hello, This is really breaking my head. I request you help to solve this problem. I have a list of files at the source directory (/tmp) as below, NewTransfer_20131202_APAC.dat NewTransferFile_20131202_APAC.dat NewTransfer_20131203_APAC.dat NewTransferFile_20131203_APAC.dat... (3 Replies)
Discussion started by: sravicha
3 Replies

3. UNIX for Dummies Questions & Answers

[Solved] Not able to do a chroot.

Hi all, I have two doms on my machine. I boot my machine from an rfs in one dom1 and mount the other rfs in the other dom2 at /media. Now I wanted to restrict access of users on dom2 to only their home directories. I do not want them to access any other directories on dom1 or dom2. So I mounted... (2 Replies)
Discussion started by: sai2krishna
2 Replies

4. Shell Programming and Scripting

[Solved] Permutation

Hi, I am trying to permutate each column (Except for IDS). file.txt FID IID TOAST1 TOAST2 TOAST3 ID3 ID3 1 -9 2 ID4 ID4 2 1 1 ID1 ID1 -9 -9 1 ID8 ID8 1 1 -9 ID12 ID12 1 2 2 for toast1 column, there are two 1's, two 2's and one -9. Having the same number of denominations,... (2 Replies)
Discussion started by: johnkim0806
2 Replies

5. Shell Programming and Scripting

[Solved] How to use delimiter

Hi, I am using below script to get the below given output. But i am wondering how to pick the names from below output. Script: echo "dis ql(*) cluster(CT.CL.RIBRSBT3)"| runmqsc CT.QM.701t8|egrep QUEUE|sed -e 's/QUEUE(/ /'|sed -e 's/)/ /' Output: ... (10 Replies)
Discussion started by: darling
10 Replies

6. UNIX for Advanced & Expert Users

[SOLVED] No INPUT chain on nat table in iptables

Hello, I'm having problem with an iptables rule. It seems that on one of two systems on the nat table, the INPUT chain doesn't exist for some strange reason. I get the error below: # iptables -t nat -A INPUT -j ACCEPT iptables: No chain/target/match by that name. Here is my kernel on... (0 Replies)
Discussion started by: Narnie
0 Replies

7. Shell Programming and Scripting

[solved] merging two files and writing to another file- solved

i have two files as file1: 1 2 3 file2: a b c and the output should be: file3: 1~a 2~b 3~c (1 Reply)
Discussion started by: mlpathir
1 Replies

8. AIX

Problem Solved

Generally, most people, I guess, go from 5.3 ML4 Directly to TL 7. So they may never run into this issue. For the rest of us, here is the resolution of my problem in going from ML6 to TL7. Apparently with the change from ML to TL IBM added a "BuildDate Verification" routine into... (1 Reply)
Discussion started by: mrmurdock
1 Replies
Login or Register to Ask a Question