how to drop all connection of specific client?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

chchia

Occasional Visitor
i have my AX3000 to setup with custom script running with crontab to:

1. nvram set dnsfilter_rulelist for specific client to use opendns home at specific time.
(i need to block my son from game, i only allow them to game at certain time everyday)

2. nvram set nvram set url_rulelist to block some webgame site that not recorded by opendns home.

3. the script then run:
nvram commit
killall -1 dnsmasq
service restart_firewall

however i notice that, some time they can still connected to the game after that allowed time, is there any command that i can use to reset all connection for specific client so he will not able to game again after the allowed time?
 

eibgrad

Very Senior Member
IMO, this is the wrong approach. You're assuming that blocking based on DNS is sufficient (what if the domain name has been cached locally by the client?). You're also assuming *how* DNS filtering is implemented, and that you can simply manipulate nvram variables and restart certain processes. Maybe, maybe not.

The better approach is to create a firewall-start script that handles all of this directly, irrespective of anything else the system is doing.

Bash:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -d somegamingwebsite.com -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -d somegamingwebsite.com -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

In the above example, I created two rules because any one rule can NOT cross the 12:00 midnight border. If the time you need to cover doesn't cross midnight, one rule will suffice.

Make sure JFFS and JFFS scripts are enabled under Administration->System. Then using the shell (ssh), copy/paste the following script into the window. It will automatically create and install the necessary firewall-start script. After a reboot, the firewall will now *permanently* contain rules to prevent access to the specified domain by the specified device (based on its MAC address) and during the specified days and local time.

Note, if it finds an existing firewall-start script, it will NOT overwrite it. You'll instead have to add the rule(s) manually to the existing firewall-start script.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top