how to drop all connection of specific client?

[chchia]

i have my AX3000 to setup with custom script running with crontab to:

1. nvram set dnsfilter_rulelist for specific client to use opendns home at specific time.
(i need to block my son from game, i only allow them to game at certain time everyday)

2. nvram set nvram set url_rulelist to block some webgame site that not recorded by opendns home.

3. the script then run:
nvram commit
killall -1 dnsmasq
service restart_firewall

however i notice that, some time they can still connected to the game after that allowed time, is there any command that i can use to reset all connection for specific client so he will not able to game again after the allowed time?

 

[eibgrad]

IMO, this is the wrong approach. You're assuming that blocking based on DNS is sufficient (what if the domain name has been cached locally by the client?). You're also assuming *how* DNS filtering is implemented, and that you can simply manipulate nvram variables and restart certain processes. Maybe, maybe not.

The better approach is to create a firewall-start script that handles all of this directly, irrespective of anything else the system is doing.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -d somegamingwebsite.com -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -d somegamingwebsite.com -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

In the above example, I created two rules because any one rule can NOT cross the 12:00 midnight border. If the time you need to cover doesn't cross midnight, one rule will suffice.

Make sure JFFS and JFFS scripts are enabled under Administration->System. Then using the shell (ssh), copy/paste the following script into the window. It will automatically create and install the necessary firewall-start script. After a reboot, the firewall will now *permanently* contain rules to prevent access to the specified domain by the specified device (based on its MAC address) and during the specified days and local time.

Note, if it finds an existing firewall-start script, it will NOT overwrite it. You'll instead have to add the rule(s) manually to the existing firewall-start script.