Block a LAN client's internet access on a schedule (daytime)

[murat göttendelik]

I want my XBOX to download updates only by night between 2:00 and 8:00 in the morning. So I want to block its access to specific destinations (microsoft xbox update server/ports) for the rest of the day.

Is it possible to achieve this through GUI ?

if not , how can I do it using iptables and a script ?

 

[murat göttendelik]

I'm sure this is a very simple task on Asuswrt-Merlin firmware. Can anybody help ?

thanks.

 

[Martineau]

I want my XBOX to download updates only by night between 2:00 and 8:00 in the morning. So I want to block its access to specific destinations (microsoft xbox update server/ports) for the rest of the day.

Is it possible to achieve this through GUI ?

if not , how can I do it using iptables and a script ?

I don't think the easy-to-use firewall Network Services Filter GUI fully meets your requirements, so here are a couple of scripting solutions.

Basically you could implement a permanent blocking rule for the Xbox, and open the designated window of opportunity where it can do its stuff in the early hours.

There are a couple of ways - static vs. dynamic.

First the static method.

e.g. suppose the Xbox is 192.168.10.24, and only between 02:00-08:00 should it be allowed access using two TCP Ports 12345 and 54321 to the Microsoft servers:

/jffs/scripts/firewall-start

iptables -I FORWARD "$(iptables -nvL FORWARD --line -t filter | grep -m 1 "other2wan" | cut -d' ' -f1)"  -s 192.168.10.24 -d $MICROSOFT -i br0 -o eth0 -p tcp -m multiport --dport 12345,54321 -m time --timestart 02:00 --timestop 07:59 -j ACCEPT

iptables -I FORWARD "$(iptables -nvL FORWARD --line -t filter | grep -m 1 "other2wan" | cut -d' ' -f1)"  -s 192.168.10.24 -d $MICROSOFT -i br0 -o eth0 -j DROP

Alternatively, the second, static method.

So again, you would have only the 'firewall-start' DROP rule permanently in place for the Xbox (as per the static method above), but have a couple of cru (cron) jobs - to open the access window @02:00, then close it again @07:59.

/jffs/scripts/init-start

cru a XBOXAllow "00 02 * * *" iptables -I FORWARD "$(iptables -nvL FORWARD --line -t filter | grep -m 1 "other2wan" | cut -d' ' -f1)"  -s 192.168.10.24 -d $MICROSOFT -i br0 -o eth0 -p tcp -m multiport --dport 12345,54321 -j ACCEPT

cru a XBOXBlock "59 07 * * *" iptables -D FORWARD -s 192.168.10.24  -d $MICROSOFT -i br0 -o eth0 -p tcp -m multiport --dport 12345,54321 -j ACCEPT

NOTE: Unless the Microsoft servers are static IPs, the problem you will have is that the iptables rules will resolve the Microsoft servers when they are executed, so it may be prudent to store all of them in an IPSET, to ensure that a single unblocking rule will apply to any of the ACTIVE Microsoft servers.

Hope this gets you started.

EDIT: Update rule insert postion detection.
It appears you have two 'other2wan' rules Dual-WAN? - 'eth0' and 'ppp0'.​

 

[mekabe remain]

Hope this gets you started.

Thanks. I have some questions:

1.
the output of following line gives me 2 iptables rules:
admin@RT-AC88U-DF80:/tmp/home/root# iptables -nvL FORWARD --line -t filter | grep "other2wan"
3 0 0 other2wan all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
4 0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0

In this case , your suggested "iptables -I FORWARD N" rule inserts the new rule before 3 , is that correct ?

2.
What is your proposed iptables command do exactly ?
What I understand is that it allows only access to 2 specified ports of destination $MICROSOFT
Blocks rest.
However, my requirement is BLOCKing access to specified ports.

3.
What shall I need to use these scripts ? (/jffs/scripts/init-start or /jffs/scripts/firewall-start)
do they run "at startup"/"after sfirewall start" out of the box , or do I need to enable anything for that ?

4.
do you by any chance know what is the correct port for Microsoft games update ?
some source on internet says that following ports are required for Xbox live. But is there a specific port for Game updates ?
Port 88UDP,
Port 3074 UDP And TCP,
Port 53 (UDP and TCP),
Port 80 TCP.
another source says:

• Port 88 (UDP)
• Port 3074 (UDP and TCP)
• Port 53 (UDP and TCP)
• Port 80 (TCP)
• Port 500 (UDP)
• Port 3544 (UDP)
• Port 4500 (UDP)

 

[Martineau]

1.
the output of following line gives me 2 iptables rules:
admin@RT-AC88U-DF80:/tmp/home/root# iptables -nvL FORWARD --line -t filter | grep "other2wan"
3 0 0 other2wan all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
4 0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0

In this case , your suggested "iptables -I FORWARD N" rule inserts the new rule before 3 , is that correct ?

Yes.

EDIT: Update rule insert postion detection.
It appears you have two 'other2wan' rules Dual-WAN? - 'eth0' and 'ppp0'.​

You could always choose to insert your custom rules at the top of the FORWARD chain, but IMHO there is a slight performance/efficiency gain by inserting custom rules immediately above the first 'other2wan' rule (when appropriate).

2.
What is your proposed iptables command do exactly ?
What I understand is that it allows only access to 2 specified ports of destination $MICROSOFT
Blocks rest.
However, my requirement is BLOCKing access to specified ports.

Not 100% sure , but I think my example solution will grant access to the two ports ONLY during the 7 hour period 02:00-08:00 as you originally required, but for the rest of the 24 hour period (17 hours) the DROP rule BLOCKS ALL access for the Xbox.

If the 17 hour period blocking rule is deemed too strict, then explicitly add the same Microsoft servers/ports you want to block (copy'n'paste from the ACCEPT rule) to the DROP rule.

3.
What shall I need to use these scripts ? (/jffs/scripts/init-start or /jffs/scripts/firewall-start)
do they run "at startup"/"after sfirewall start" out of the box , or do I need to enable anything for that ?

Same as I already answered in your other post, but I suggest you read/digest the RMerlin Wiki especially the section User scripts and how to exploit/enable them.

4.
do you by any chance know what is the correct port for Microsoft games update ?

No

is there a specific port for Game update

No idea

(P.S. I am not, nor have I ever been an Xbox gamer.)

 

[mekabe remain]

(P.S. I am not, nor have I ever been an Xbox gamer.)

ok. thanks for the explanation.
again, some questions;

1.
you've also stated that there is a non-static (dynamic ?) method. what is that ?
What is an IPSET , is that related to dynamic method you've mentioned ?

2.
What is the $MICROSOFT variable ? Now echoing it on shell gives nothing...
Btw, I don't need to define destination IP if I can find the exact port to block.
When I check traffic stats from GUI, I see the following traffic from XBOX1 client.
And I want to block the traffic labeled XBOX. How can I identify IP & PORTS used for that traffic ?

Client Name: XBOX1
App Name Upload      Download         Total
XBOX         1.06 GB     47.67 GB           48.72 GB
General      40.22 MB  72.46 MB         112.68 MB
Web File Transfer   1.41 MB        70.40 MB    71.81 
MBSSL/TLS            4.57 MB         53.61 MB    58.19 MB
Electronic Arts        3.07 MB        51.82 MB    54.89 MB
Microsoft(SSL)        7.93 MB        33.46 MB    41.39 MB
Akamai.net88.76 KB3.24 MB3.33 MBMicrosoft Windows Update288.36 KB714.88 KB1003.24 KBSkype140.12 KB283.65 KB423.77 KBHTTP72.39 KB233.73 KB306.12 KBHTTP Protocol over TLS SSL164.75 KB144.00 Bytes164.89 KBYoutube5.83 KB103.37 KB109.20 KBOneDrive3.66 KB52.50 KB56.16 KBWorld Wide Web HTTP13.08 KB156.00 Bytes13.23 KB

 

[Martineau]

1.
you've also stated that there is a non-static (dynamic ?) method. what is that ?

The distinction between the two is clearly highlighted in bold in the solution I posted (see post #3)

What is an IPSET ?

What is an IPSET ?

2.
What is the $MICROSOFT variable ? Now echoing it on shell gives nothing...

When scripting it is convenient to use variables, so as an example, script variable $MICROSOFT would contain a CSV list of their update servers (assuming you have identified all of them rather than store them in an IPSET), to reduce the number of code lines required in the script.

How can I identify IP & PORTS used for that traffic ?

Create a logging rule based on either the Xbox's MAC address (one for each Xbox)

iptables -I FORWARD -i br0 -m mac --mac-source xx:xx:xx:xx:xx:xx -m state --state NEW -j LOG --log-prefix "Xbox " --log-tcp-sequence --log-tcp-options --log-ip-options

or by IP address/Hostname (e.g. Xbox1) where rather than have to issue multiple MAC filter rules, you can specify multiple IP referenced Xboxs using a single iptables rule/command

iptables -I FORWARD -i br0 -s Xbox1,Xbox2 -m state --state NEW -j LOG --log-prefix "Xbox " --log-tcp-sequence --log-tcp-options --log-ip-options

then after the Xbox has accessed the Microsoft update servers, simply scan the Syslog and extract the "Xbox" tagged log lines to find which IPs/Ports were used by the Xbox(s).

 

[mekabe remain]

thanks. so there's no way to understand what lays behind the XBOX tagged traffic on traffic analyzer ?
Because I'm sure when it updates, it will try to access several ports. I just want to block the port which it downloads data. (the big amount part of the download)
that's why I would prefer to get ports used in "XBOX" tagged traffic instead of syslog output.

 

[Martineau]

thanks. so there's no way to understand what lays behind the XBOX tagged traffic on traffic analyzer ?
Because I'm sure when it updates, it will try to access several ports. I just want to block the port which it downloads data. (the big amount part of the download)
that's why I would prefer to get ports used in "XBOX" tagged traffic instead of syslog output.

I have just run a report against the Traffic Analyzer database ( and for brevity filtered by one device @10:00:00 today)

./TrafficAnalyzer_Report.sh   date=2018/11/19   ip=10.88.8.157   time=10:

(TrafficAnalyzer_Report.sh): 8160 v1.07 Traffic Analyzer starting.....

 NOTE: Columns in white are eligible for filters; red text indicates a match on the filters requested. (URLs are Xshell5/MobaXterm hyperlinks)

 Filter by Date, AND by IP, AND by Time ==> '2018-11-19|58:XX:XX:XX:XX:4B|10:'


 Rx Bytes   Tx Bytes    YYYY/MM/DD  HH:MM:SS  MAC address        Host Name          IP address        Category                          Application              
 575        520         2018/11/19  10:00:36  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Web services                      HTTP                     
 62377      120912      2018/11/19  10:00:36  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Network protocols                 Google APIs(SSL)         
 565        351         2018/11/19  10:00:36  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Network protocols                 World Wide Web HTTP      
 152        152         2018/11/19  10:00:37  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Network protocols                 Network Time Protocol    
 776        7299        2018/11/19  10:00:37  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       VoIP services                     Skype                    
 32178      80194       2018/11/19  10:00:37  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Web services                      Google                   
 3884       39908       2018/11/19  10:00:37  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       File sharing services and tools   OneDrive                 
 2432       6780        2018/11/19  10:00:38  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Management tools and protocols    DNS                      
 18036      17199       2018/11/19  10:00:38  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       General                           General                  
 4550       4412        2018/11/19  10:00:39  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Social networks                   Facebook                 
 21290      58919       2018/11/19  10:00:39  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Network protocols                 HTTP Protocol over TLS SSL
 5161       12682       2018/11/19  10:00:39  58:XX:XX:XX:XX:4B  SGA5               10.88.8.157       Network protocols                 Microsoft(SSL)           
 ---------- ----------
 148.41 KB  341.14 KB
 ========== ==========

Individual Destination IP Addresses/Protocols and Ports are not logged to the database, only traffic volume by "Category" and "Application name"

As has been explained many times, how the TrendMicro closed-source engine truly identifies the correct bucket for the Rx/Tx statistics hasn't been disclosed.

Anyway it will only take you 30 secs to copy'n'paste the Xbox logging rule and then tomorrow create a report to see precisely what activity occurs outbound from the Xbox.

Simples.

 

[murat göttendelik]

ok. I will do that.
I just have to issue the following rule on console and then generate traffic, right ?
Or, shall I need to put this rule in the FORWARD table at a certain point ?

iptables -I FORWARD -i br0 -s Xbox1,Xbox2 -m state --state NEW -j LOG --log-prefix "Xbox " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[Martineau]

ok. I will do that.
I just have to issue the following rule on console and then generate traffic, right ?
Or, shall I need to put this rule in the FORWARD table at a certain point ?

iptables -I FORWARD -i br0 -s Xbox1,Xbox2 -m state --state NEW -j LOG --log-prefix "Xbox " --log-tcp-sequence --log-tcp-options --log-ip-options

First you need to make sure that Xbox1 is PINGable by name otherwise use its IP address...xxx.xxx.xxx.xxx

then YES, simply copy'n'paste the commands into the SSH console - where the second command confirms if the rule was applied and also if there are any hits

iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx  -m state --state NEW -j LOG --log-prefix "Xbox " --log-tcp-sequence --log-tcp-options --log-ip-options

iptables --line -t filter -nvL FORWARD | grep -E "Chain|pkts|Xbox"

For testing it doesn't matter if the rule is inserted at the top of the FORWARD chain

 

[volatile muckso]

I've done that test and found some IP addresses. All connections are using port 443 or 80
I blocked the IP addresses, but then it tried over other IP addresses. Each time I blocked new addresses and the list got longer and longer (below)
however, I still could not block the traffic. I understand that Microsoft has many servers for this purpose , all using different networks.
this is not going to work.

Besides, this way I will be blocking maybe other access to the same servers (may affect playing the game when I just want to block updates and downloads)

Can I do something like block all traffic from this host if its total traffic is higher than 50MB in the last 10 minutes ?

destinations I've tried blocking :
8.253.95.0/24
8.248.117.0/24
8.253.204.0/24
8.253.207.0/24
67.27.157.0/24
68.232.34.0/24
104.43.128.0/24
104.43.128.0/24
94.46.155.0/24
13.107.4.0/24
40.77.229.0/24
40.77.226.0/24
185.11.14.0/24

 

[mekabe remain]

Besides, this way I will be blocking maybe other access to the same servers (may affect playing the game when I just want to block updates and downloads)

Can I do something like block all traffic from this host if its total traffic is higher than 50MB in the last 10 minutes ?

I've checked iptables quota feature for this purpose. But it seems that the required kernel module (ipt_quota) is not available on Asuswrt kernel.

Can I do it using ip accounting ?

-turn on ip accounting for specific source (xbox)
-read accounting output every 10 minutes
-if it reach desired level (50MB) :
-delete the accounting rule and add drop rule
-add a cron job for 1 hour later to delete drop rule and add accounting (accept) rule
-if not reached desired level:
-reset accounting

How can I achieve this ?

 

[mekabe remain]

I decided to use the following script and run it every minute.
It checks if the byte counter for incoming traffic has reached 5MB in last minute.
If true, it will block outgoing traffic. if not it will reset the counter.
And if the minute is 59 , it resets counter and removes blocking rule.


crontab commands to make it run between 8:00 and 1:59

cru a XBOX2 "* 08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,00,01 * * *" /jffs/scripts/xboxac
ctblk 192.168.254.38 >/dev/null 2>/dev/null
cru a XBOX1 "* 08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,00,01 * * *" /jffs/scripts/xboxac
ctblk 192.168.254.37 >/dev/null 2>/dev/null

cru l
0 7 */7 * * service restart_letsencrypt #LetsEncrypt#
* 08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,00,01 * * * /jffs/scripts/xboxacctblk 192.168.254.38 #XBOX2#
* 08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,00,01 * * * /jffs/scripts/xboxacctblk 192.168.254.37 #XBOX1#

script itself:

#!/bin/sh
ip=$1
min=`date +%M`
iptables -nvxL FORWARD --line -t filter | grep "0.0.0.0/0            $1" > /dev/null 2>/dev/null
if [ $? -eq 1 ];
then
 iptables -I FORWARD 1 -d $1 -o br0 -j ACCEPT
else 
 xa1=`iptables -nvxL FORWARD --line -t filter | grep "0.0.0.0/0            $1" | awk '{print $3}'`
 if [ "$xa1" -gt 5000 ];
 then                                             
  iptables -D FORWARD "$(iptables -nvL FORWARD --line -t filter | grep "ppp0    $ip" | awk '{print $1}')" 
  iptables -D FORWARD "$(iptables -nvL FORWARD --line -t filter | grep "ppp1    $ip" | awk '{print $1}')"
  n1=`iptables -nvL FORWARD --line -t filter | grep "0.0.0.0/0            $1" | awk '{print $1}'`
#  iptables -D FORWARD $n1
  iptables -I FORWARD $n1  -s $1 -i br0 -o ppp0 -j DROP
  iptables -I FORWARD $n1  -s $1 -i br0 -o ppp1 -j DROP
 else
  n1=`iptables -nvL FORWARD --line -t filter | grep "0.0.0.0/0            $1" | awk '{print $1}'`
  iptables -D FORWARD $n1
  iptables -I FORWARD $n1 -d $1 -o br0 -j ACCEPT
 fi
fi
if [ "$min" -eq "59" ];
then
  iptables -D FORWARD "$(iptables -nvL FORWARD --line -t filter | grep "ppp0    $ip" | awk '{print $1}')"
  iptables -D FORWARD "$(iptables -nvL FORWARD --line -t filter | grep "ppp1    $ip" | awk '{print $1}')"
  n1=`iptables -nvL FORWARD --line -t filter | grep "0.0.0.0/0            $1" | awk '{print $1}'`
  iptables -D FORWARD $n1                       
  iptables -I FORWARD $n1 -d $1 -o br0 -j ACCEPT
fi

is this approach correct ?
and do you see any issues with it ?

thanks.

 

[Martineau]

I decided to use the following script and run it every minute.
It checks if the byte counter for incoming traffic has reached 5MB in last minute.
If true, it will block outgoing traffic. if not it will reset the counter.
And if the minute is 59 , it resets counter and removes blocking rule.
crontab commands to make it run between 8:00 and 1:59

Not sure if your cron statements are the most efficient, but I personally would only use cron to start the script monitoring @08:00 and terminate it @02:00

So once started (by cron) @08:00 the script is a loop with a 'sleep 60' seconds and will apply the block if the amount of data transferred exceeds your limit

#!/bin/sh

#***** NOTE: This script does not handle DUPLICATE rules                         *****
#
#       but is simple to follow/understand the implementation of your requirements ;)
#
iptables -N Xbox_IN                         # Split monitoring into Inbound
iptables -Z Xbox_IN

iptables -N Xbox_OUT                        # OutBound
iptables -Z Xbox_OUT

XBOX1_IP="192.168.254.37"
XBOX2_IP="192.168.254.38"

iptables -A Xbox_IN -d $XBOX1_IP -m comment --comment "Xbox1"
iptables -A Xbox_IN -d $XBOX2_IP -m comment --comment "Xbox2"

iptables -I FORWARD -i ppp+ -j Xbox_IN
iptables -I FORWARD -o br0  -j Xbox_OUT

XBOX1=$(iptables --line -nvxL Xbox_IN | grep "Xbox1" | awk '{print $3}')
XBOX2=$(iptables --line -nvxL Xbox_IN | grep "Xbox2" | awk '{print $3}')

LIMIT=5000000       # Bytes

while true          # Check every 60 seconds to see if the Xboxs have exceeded their DOWNLOAD limit
    do
        sleep 60
 
        NOWXBOX1=$(iptables --line -nvxL Xbox_IN | grep "Xbox1" | awk '{print $3}')
        NOWXBOX2=$(iptables --line -nvxL Xbox_IN | grep "Xbox2" | awk '{print $3}')

        [ $(($NOWXBOX1-$XBOX1)) -gt $LIMIT ] && iptables -I Xbox_IN -s $XBOX1_IP -i br0 -j DROP -m comment --comment "Block Xbox1"
        [ $(($NOWXBOX2-$XBOX2)) -gt $LIMIT ] && iptables -I Xbox_IN -s $XBOX2_IP -i br0 -j DROP -m comment --comment "Block Xbox2"
 
        XBOX1=$NOWXBOX1
        XBOX2=$NOWXBOX2
 
    done
 
exit

So @02:00 using (cron) you would run a script

iptables -D Xbox_OUT -s $XBOX1_IP -i br0 -j DROP -m comment --comment "Block Xbox1"
iptables -D Xbox_OUT -s $XBOX2_IP -i br0 -j DROP -m comment --comment "Block Xbox2"

kill -9 $(ps | grep -v grep | grep your_script_name | cut -d' ' -f1)

EDIT: Typo in blocking rules.