[SOLVED] AFWall+ iptables help

I am attempting to block connection to a specific BSSID. My friend's son has been getting around the access restrictions I set for the family on my friend's behalf (I have Tomato running on his Linksys), and his son has access to the neighbour's wifi. I want to be able to block the connection to this wifi. I am experimenting with this at home by trying to block my phone from accessing my router. I tried this IP table first:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

(of course, the 00:00:00:00:00:00 represents the actual MAC address which I am not posting here; and I used all caps for the address)

I still had access to the internet.

I also tried:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

Still had access. Though this is not ideal (because the public IP is dynamic and I have no access to the neighbour's router to add a dynamic dns address to implement this should I go this route), I then tried my public IP address:

$IPTABLES -I INPUT -s 11.222.33.44 -j DROP

I still had access to the internet through my router. So I tried this iptable for the fun of it:

$IPTABLES -I INPUT -s 11.222.33.44 -j REJECT

I could still access the internet. Is it even possible to do what I'm trying to do?

P.S. - My phone, as well as my friend's son's phone is rooted.

This is what I use on our routers, which are oldish PC's running Linux, to block a particular customer's MAC from our WAN:

# Block local traffic
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
# Block routed traffic
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP

Your current firewall configuration may be relevant. If there's a -j ACCEPT rule which matches before these rules, these will be skipped. IOW, these rules should come early.

It requires NETFILTER_XT_MATCH_MAC to be selected in your kernel. If it's compiled as a module, it must be loaded. It seems to fail silently otherwise, for some reason, which is weird since most other failures like this scream bloody murder.

Phones being rooted shouldn't make a difference since what you're configuring is your router, yes?

No. I have no access to the router that I am trying to block. I am trying to force my friend's son to use his router at home. What he is doing is disconnecting from the home router (which has access restrictions) and connecting to his neighbour's router (which does not) so he can be on his phone in the middle of the night with no blocks or filters (aka, porn).

I downloaded AFWall+ (a firewall app) on Android and I am attempting to put in some iptables that will block the phone from accessing the router based on the router's BSSID. I can find the neighbour's BSSID easily by going to Tools > Wireless Survey in the home router.

So in short, I want to put the iptables in the PHONE (via AFWall+) to block the phone from being able to access the neighbour's router.

Well, the same principle ought to work on the client side, but if you're doing this in Android, you have a whole lot less control. It seems doubtful your manufacturer would have bothered including firewall functionality in the kernel.

You could ask your neighbor to change their password :wink:

This is what the firewall rules look like (obviously changing any of my personal addresses)... yet, I still have internet access:

==========
IPv4 Rules
==========

Chain INPUT (policy ACCEPT 451 packets, 306K bytes)
pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 00:0A:00:0A:00:0A reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 00:0A:00:0A:00:0A reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
Chain OUTPUT (policy ACCEPT 459 packets, 86649 bytes)
pkts bytes target     prot opt in     out     source               destination        
  459 86649 afwall     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall (1 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi  all  --  *      eth+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      wlan+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      tiwlan+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      ra+     0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-wifi  all  --  *      bnep+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rmnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      pdp+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      uwbr+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      wimax+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      vsnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rmnet_sdio+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      ccmni+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      qmi+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      svnet0+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      wwan+   0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      cdma_rmnet+  0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      usb+    0.0.0.0/0            0.0.0.0/0          
    0     0 afwall-3g  all  --  *      rment_usb+  0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g (13 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-postcustom  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-fork (2 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-home  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-home (1 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-3g-postcustom (1 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-3g-roam (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-3g-tether (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-3g-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-reject (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
Chain afwall-vpn (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-wifi (5 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-postcustom  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-fork (2 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-lan (0 references)
pkts bytes target     prot opt in     out     source               destination        
Chain afwall-wifi-postcustom (1 references)
pkts bytes target     prot opt in     out     source               destination        
  457 86549 afwall-wifi-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-tether (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 afwall-wifi-fork  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
Chain afwall-wifi-wan (1 references)
pkts bytes target     prot opt in     out     source               destination        

==================
Network interfaces
==================

eth0: wifi
ip6tnl0: unknown
sit0: unknown
usb0: 3G
gannet0: unknown
dummy0: unknown
lo: unknown

========
ifconfig
========

dummy0    Link encap:Ethernet  HWaddr AA:00:0A:A0:A0:A0 
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
eth0      Link encap:Ethernet  HWaddr 0A:00:0A:AA:00:AA 
          inet addr:192.168.1.22  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: aa00::a00:0aaa:aaaa:00aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:83464 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:96070720 (91.6 MiB)  TX bytes:7081597 (6.7 MiB)
gannet0   Link encap:Ethernet  HWaddr A0:00:00:A0:0A:00 
          BROADCAST NOARP MULTICAST  MTU:1000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          NOARP  MTU:1460  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:578 errors:0 dropped:0 overruns:0 frame:0
          TX packets:578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:62031 (60.5 KiB)  TX bytes:62031 (60.5 KiB)
sit0      Link encap:IPv6-in-IPv4 
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
usb0      Link encap:Ethernet  HWaddr 0A:00:0A:00:0A:00 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

===========
System info
===========

Android version: 2.3.6
Manufacturer: samsung
Model: SGH-T679
Build: GINGERBREAD.UVLG3
Active interface: wifi
Tether status: no
Roam status: no
IPv4 subnet: 192.168.1.22/24
IPv6 subnet:
/system/bin/su: 380532 bytes
/system/xbin/su: 380532 bytes
/system/app/Superuser.apk: 1468798 bytes
Superuser: com.noshufou.android.su v3.1.3

===========
Preferences
===========

appVersion: 152

======
Logcat
======

11:51:29 Starting root shell...
11:51:29 [libsuperuser] [SU%] START
11:51:33 Root shell is open
11:51:44 isWifiApEnabled is false

ENTER PROBLEM DESCRIPTION HERE:

You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD.

Do you have the required things compiled for your kernel?

modprobe config # May not be needed
zcat /proc/config.gz | awk '/CONFIG_NETFILTER_XT_MATCH_MAC/'

Can you further elaborate? In AFWall+, I navigate to 'Set Custom Script', then I enter

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

I choose 'OK'. Then I go to the menu again, and choose 'Enable Firewall.' It says the rules are applied successfully. I go to an app, and I still have access to the internet.

I don't understand what you mean when you say "You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD."

I also don't understand what you mean when you say, "Do you have the required things compiled for your kernel?" Am I supposed to copy and paste the code you gave somewhere? If so, where? I am just using an app. I'm not using a command line.

Go to a command line, and run that command.

I downloaded the "Android Terminal Emulator" app. I typed in

su

and pressed enter. That made the superuser app pop up and I allowed it.

Then I typed in

modprobe config

and pressed enter. It then said, "modprobe: can't change directory to '2.6.35.7-perf-T680UVLG3-CL1165714' : No such fire or directory.

Then I typed in

zcat /proc/config.gz | awk '/CONFIG_NETFILTER_XT_MATCH_MAC/'

and pressed enter. Then all it said was "CONFIG _NETFILTER_XT_MATCH_MAC=y"

I don't know what that means. And I also still have internet access.

Well, your phone definitely supports mac filtering -- it's y, not no. And it doesn't need modprobe -- it's y, not m. So you shouldn't need to load anything special to get it to work. Which is very good since it's probably not feasible for you to change it... config.gz is a list of options that particular kernel was built with.

Please try the script I suggested (slightly changing to make it match the syntax your app seems to need )

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
$IPTABLES -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP

The FORWARD table may be necessary depending on how the phone uses its internet connection; packets might make it to the FORWARD chain instead of the INPUT chain first. It'd end up in INPUT eventually, but after it passes through FORWARD, it loses its MAC address.

I don't think REJECT makes sense in all contexts, and DROP definitely works on my systems.

Oh... Which MAC address are you putting in there? The router's, right?

Ok, I put in the code that you said:

$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
$IPTABLES -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP

Still not blocking internet access.

I was totally lost when you said this:

Not sure if this has to do with anything, but I enabled logs in AFWall+, but when I go to look, it always says "Log is Empty," even if I browse around on the internet. It's always just empty.

It'd make more sense if you've ever built your own kernel. You get a list of options to choose from, and get to pick whether device drivers are disabled (n), built-in(y), or put in modules to load later(m). /proc/config.gz is a list of what options were picked when the kernel was made.

The point is, this kernel has built-in support for mac filtering.

Does the AF+ documentation say to use $IPTABLES instead of iptables, or did you pick that up from an example somewhere? Try plain 'iptables'.

I know nothing about AF+, so I couldn't say. iptables itself doesn't log unless told, but a firewall generator which talks to iptables could do who-knows-what.

My suggestion would be:

1) Turn off AF+
2) Type iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP and iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP into a root console
3) See if that works

If that works, you might just be fighting your firewall generator.

P.S: There's probably not much reason to obscure your MAC address. That's not useful to anyone outside your local network.

If I turned off AFWall+, I had no internet access. So I just uninstalled it. When you said "root console," I assume you mean the Android Terminal Emulator app? I opened that app, and typed in:

iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

and pressed enter. It just went to a new line. Didn't say or tell me anything. Then I typed in:

iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP

and pressed enter. Still didn't give me any message. Just a new line. Went to open another app... still had internet access. :confused:

Depends on whether "android terminal emulator app" gives you a root console or not...

People who root their androids often install sshd, so they can ssh into an actual terminal without any "app" nonsense or uncertainty. Some of these terminal apps are half-pretend.

Which MAC address are you putting in? The router's, right?

Yes, I'm putting in router's MAC address (BSSID). After I typed in those commands into the terminal app, I typed in iptables -L and it didn't show my changes.

Ok... I already have PuTTY for Windows, and I downloaded an app called SSH Server onto my Android. I was able to successfully connect with PuTTY. But when I type "su" into the PuTTY terminal to get root access, it says "Permission Denied." I also tried logging in PuTTY as "root". But then it asks me for a password... which I don't know the root password. I tried searching, but I can't find any answers. People are saying, "You don't need to use your root password; Superuser does the job." I don't know what to do to make my phone let PuTTY get root permissions.

I'm not sure that's the the same MAC as ARP uses, which is what MAC matching checks.

Double check what MACs your android thinks are what IP's by running arp -n from your terminal app.

I just did that and it's showing a different MAC address. It's labelling it as "[ether] on eth0". I checked in my router, and it's showing my LAN MAC address. I've tried my LAN (and WAN) in the past already and it won't block access to the router with them either.

I think the BSSID is only relevant for the wireless communication layer -- strip that away and you get plain old ethernet.

Try blocking that mac, instead of the BSSID.

IT WORKS!!!

*facepalm*. So it's definitely my LAN MAC address that needs to be used. However, when I had tried the LAN address before, it didn't work because I needed to REBOOT MY PHONE!!! It finally occurred to me when I thought, "Hey, whenever I make firewall iptables rules changes in Tomato or DD-WRT, I always have to reboot the router to make the changes take effect."

So, I put in the LAN MAC address, rebooted the phone, and voila! Can't connect to the internet!!! :slight_smile:

Now... I guess I'll have to use the "arp -n" code in a terminal app in my friend's son's phone while connected to the neighbour's router. I was just planning on using the BSSID of the neighbour's router... but clearly that won't work.

Actually -- it only appears in arp once you've already connected and started communicating, so that's no good.

You might just have to store the numbers somewhere.

Another thing you could do is allow one particular MAC, and disallow all others...