I am attempting to block connection to a specific BSSID. My friend's son has been getting around the access restrictions I set for the family on my friend's behalf (I have Tomato running on his Linksys), and his son has access to the neighbour's wifi. I want to be able to block the connection to this wifi. I am experimenting with this at home by trying to block my phone from accessing my router. I tried this IP table first:
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
(of course, the 00:00:00:00:00:00 represents the actual MAC address which I am not posting here; and I used all caps for the address)
I still had access to the internet.
I also tried:
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT
Still had access. Though this is not ideal (because the public IP is dynamic and I have no access to the neighbour's router to add a dynamic dns address to implement this should I go this route), I then tried my public IP address:
$IPTABLES -I INPUT -s 11.222.33.44 -j DROP
I still had access to the internet through my router. So I tried this iptable for the fun of it:
$IPTABLES -I INPUT -s 11.222.33.44 -j REJECT
I could still access the internet. Is it even possible to do what I'm trying to do?
P.S. - My phone, as well as my friend's son's phone is rooted.
This is what I use on our routers, which are oldish PC's running Linux, to block a particular customer's MAC from our WAN:
# Block local traffic
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
# Block routed traffic
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP
Your current firewall configuration may be relevant. If there's a -j ACCEPT rule which matches before these rules, these will be skipped. IOW, these rules should come early.
It requires NETFILTER_XT_MATCH_MAC to be selected in your kernel. If it's compiled as a module, it must be loaded. It seems to fail silently otherwise, for some reason, which is weird since most other failures like this scream bloody murder.
Phones being rooted shouldn't make a difference since what you're configuring is your router, yes?
No. I have no access to the router that I am trying to block. I am trying to force my friend's son to use his router at home. What he is doing is disconnecting from the home router (which has access restrictions) and connecting to his neighbour's router (which does not) so he can be on his phone in the middle of the night with no blocks or filters (aka, porn).
I downloaded AFWall+ (a firewall app) on Android and I am attempting to put in some iptables that will block the phone from accessing the router based on the router's BSSID. I can find the neighbour's BSSID easily by going to Tools > Wireless Survey in the home router.
So in short, I want to put the iptables in the PHONE (via AFWall+) to block the phone from being able to access the neighbour's router.
Well, the same principle ought to work on the client side, but if you're doing this in Android, you have a whole lot less control. It seems doubtful your manufacturer would have bothered including firewall functionality in the kernel.
You could ask your neighbor to change their password
Can you further elaborate? In AFWall+, I navigate to 'Set Custom Script', then I enter
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT
I choose 'OK'. Then I go to the menu again, and choose 'Enable Firewall.' It says the rules are applied successfully. I go to an app, and I still have access to the internet.
I don't understand what you mean when you say "You seem to have the same rule in INPUT twice -- instead of once in INPUT, another in FORWARD."
I also don't understand what you mean when you say, "Do you have the required things compiled for your kernel?" Am I supposed to copy and paste the code you gave somewhere? If so, where? I am just using an app. I'm not using a command line.
Well, your phone definitely supports mac filtering -- it's y, not no. And it doesn't need modprobe -- it's y, not m. So you shouldn't need to load anything special to get it to work. Which is very good since it's probably not feasible for you to change it... config.gz is a list of options that particular kernel was built with.
Please try the script I suggested (slightly changing to make it match the syntax your app seems to need )
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
$IPTABLES -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP
The FORWARD table may be necessary depending on how the phone uses its internet connection; packets might make it to the FORWARD chain instead of the INPUT chain first. It'd end up in INPUT eventually, but after it passes through FORWARD, it loses its MAC address.
I don't think REJECT makes sense in all contexts, and DROP definitely works on my systems.
Oh... Which MAC address are you putting in there? The router's, right?
$IPTABLES -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
$IPTABLES -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP
Still not blocking internet access.
I was totally lost when you said this:
Not sure if this has to do with anything, but I enabled logs in AFWall+, but when I go to look, it always says "Log is Empty," even if I browse around on the internet. It's always just empty.
It'd make more sense if you've ever built your own kernel. You get a list of options to choose from, and get to pick whether device drivers are disabled (n), built-in(y), or put in modules to load later(m). /proc/config.gz is a list of what options were picked when the kernel was made.
The point is, this kernel has built-in support for mac filtering.
Does the AF+ documentation say to use $IPTABLES instead of iptables, or did you pick that up from an example somewhere? Try plain 'iptables'.
I know nothing about AF+, so I couldn't say. iptables itself doesn't log unless told, but a firewall generator which talks to iptables could do who-knows-what.
My suggestion would be:
1) Turn off AF+
2) Type iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP and iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP into a root console
3) See if that works
If that works, you might just be fighting your firewall generator.
P.S: There's probably not much reason to obscure your MAC address. That's not useful to anyone outside your local network.
If I turned off AFWall+, I had no internet access. So I just uninstalled it. When you said "root console," I assume you mean the Android Terminal Emulator app? I opened that app, and typed in:
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
and pressed enter. It just went to a new line. Didn't say or tell me anything. Then I typed in:
iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j DROP
and pressed enter. Still didn't give me any message. Just a new line. Went to open another app... still had internet access.
Depends on whether "android terminal emulator app" gives you a root console or not...
People who root their androids often install sshd, so they can ssh into an actual terminal without any "app" nonsense or uncertainty. Some of these terminal apps are half-pretend.
Which MAC address are you putting in? The router's, right?
Yes, I'm putting in router's MAC address (BSSID). After I typed in those commands into the terminal app, I typed in iptables -L and it didn't show my changes.
Ok... I already have PuTTY for Windows, and I downloaded an app called SSH Server onto my Android. I was able to successfully connect with PuTTY. But when I type "su" into the PuTTY terminal to get root access, it says "Permission Denied." I also tried logging in PuTTY as "root". But then it asks me for a password... which I don't know the root password. I tried searching, but I can't find any answers. People are saying, "You don't need to use your root password; Superuser does the job." I don't know what to do to make my phone let PuTTY get root permissions.
I just did that and it's showing a different MAC address. It's labelling it as "[ether] on eth0". I checked in my router, and it's showing my LAN MAC address. I've tried my LAN (and WAN) in the past already and it won't block access to the router with them either.
*facepalm*. So it's definitely my LAN MAC address that needs to be used. However, when I had tried the LAN address before, it didn't work because I needed to REBOOT MY PHONE!!! It finally occurred to me when I thought, "Hey, whenever I make firewall iptables rules changes in Tomato or DD-WRT, I always have to reboot the router to make the changes take effect."
So, I put in the LAN MAC address, rebooted the phone, and voila! Can't connect to the internet!!!
Now... I guess I'll have to use the "arp -n" code in a terminal app in my friend's son's phone while connected to the neighbour's router. I was just planning on using the BSSID of the neighbour's router... but clearly that won't work.