Time based rule to not allow LAN access to a device

JohnD5000

Senior Member
My son is watching movies on his tablet. The movies are located on a hard drive attached to the router. I do not want him to have the ability to watch anything after 10 pm at night through 8 am in the morning. Is there any way to put in a rule that the device does not have access to the LAN (it is connected wirelessly) between those hours?

Note, I know the mac address of the device and the device has a Manually Assigned IP address in the DHCP.

Thank you
 

eibgrad

Part of the Furniture
Add appropriate firewall rules w/ the firewall-start script.

Code:
iptables -I INPUT -i br0 -s 192.168.1.100 -p tcp -m multiport --dports 139,445 -m time --timestart 22:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
iptables -I INPUT -i br0 -s 192.168.1.100 -p tcp -m multiport --dports 139,445 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT

I'm assuming the access protocol is SMB (ports 139 & 445).
 

JohnD5000

Senior Member
Add appropriate firewall rules w/ the firewall-start script.

Code:
iptables -I INPUT -i br0 -s 192.168.1.100 -p tcp -m multiport --dports 139,445 -m time --timestart 22:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
iptables -I INPUT -i br0 -s 192.168.1.100 -p tcp -m multiport --dports 139,445 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT

I'm assuming the access protocol is SMB (ports 139 & 445).


Thanks,

I'm not sure about SMB (ports 139 & 445), I set this up under:

USB Applications/Services Center
-Media Server -- enable UPnP Media Server = (ON)
and
-Network Place (Samba) -- Enable Share = (ON)
 

eibgrad

Part of the Furniture
Samba *is* SMB (SaMBa). Just start an ssh session and copy/paste the rules into the terminal window, and see if it works. If it does, you can then commit the rules to the firewall-start script.
 

eibgrad

Part of the Furniture
P.S. Looks like the Media Server is using minidlna, which uses port 8200. So you could add that to the list of ports in the rules as well.
 

JohnD5000

Senior Member
Samba *is* SMB (SaMBa). Just start an ssh session and copy/paste the rules into the terminal window, and see if it works. If it does, you can then commit the rules to the firewall-start script.


Thanks, I entered them. Is there any place to see if they are in there? Nothing shows on any of the Firewall screens in the GUI.

Is the only way to test is to just go to the device and try it throughout the day?
 

eibgrad

Part of the Furniture
You can dump the FORWARD chain of the filter table to see the rules (they'll be at the top). And if they are being activated, they will show a >0 pkts count.

Code:
iptables -vnL INPUT

Anything done from the command line will NOT show in the GUI. That's just the way it works.

And yes, like any change, whether via the GUI or scripting, the proof of the pudding is in the eating.
 
Last edited:

JohnD5000

Senior Member
OK, I don't think it worked

Code:
[email protected]:/tmp/home/root# iptables -I INPUT -i br0 -s 192.168.81.180 -p tcp -m multiport --dports 139,445,8200 -m time --timestart 22:00 --timest
op 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
[email protected]:/tmp/home/root# iptables -I INPUT -i br0 -s 192.168.81.180 -p tcp -m multiport --dports 139,445,8200 -m time --timestart 00:00 --timest
op 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
[email protected]:/tmp/home/root#
[email protected]:/tmp/home/root#
[email protected]:/tmp/home/root#
[email protected]:/tmp/home/root# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  195 14028 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.81.211-192.168.81.214
12173 4284K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
  116  5683 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  634 48095 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  634 48095 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
    0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DNSFILTER_DOT  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
[email protected]7F8:/tmp/home/root#
 

JohnD5000

Senior Member
Sorry, I had it wrong. It's the INPUT chain.

Code:
iptables -vnL INPUT
Thanks,

Not sure what I'm looking at, does this look OK?

Code:
[email protected]:/tmp/home/root# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445,8200 TIME from 00:00:00 to 08:00:00 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445,8200 TIME from 22:00:00 to 00:00:00 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445,8200 TIME from 22:00:00 to 00:00:00 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445 TIME from 00:00:00 to 08:00:00 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445 TIME from 22:00:00 to 00:00:00 reject-with icmp-port-unreachable
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51194
   40  2800 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 331K  465M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  409 27499 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 4552 1040K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0           
 4901  776K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
 4901  776K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 4026  714K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
  526  326K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
   12  4002 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.81.1         ctstate DNAT tcp dpt:8443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  513  322K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
[email protected]:/tmp/home/root#
 

eibgrad

Part of the Furniture
Yeah, you messed up a bit. You have rules w/ 139,445 and rules w/ 139,445,8200.

You could execute the following to clean things up, or just reboot and try again.

Code:
iptables -D INPUT 3; iptables -D INPUT 3; iptables -D INPUT 3
 

JohnD5000

Senior Member
I'm not competing in the uptime contest...I did the reboot.

How's this look?

Thanks

Code:
ASUSWRT-Merlin RT-AC86U 386.5_0 Wed Mar  2 16:37:00 UTC 2022
[email protected]:/tmp/home/root#
[email protected]:/tmp/home/root#
[email protected]:/tmp/home/root# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445,8200 TIME from 00:00:00 to 08:00:00 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    *       192.168.81.180       0.0.0.0/0            multiport dports 139,445,8200 TIME from 22:00:00 to 00:00:00 reject-with icmp-port-unreachable
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51194
    0     0 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
95610  138M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   93  5459 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  353 50587 PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0           
  442 52563 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
  442 52563 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
  296 44287 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
   57  6300 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    1   328 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.81.1         ctstate DNAT tcp dpt:8443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   56  5972 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
[email protected]:/tmp/home/root#
 

eibgrad

Part of the Furniture
Just realize this is NOT currently persistent. You need to make it part of a firewall-start script to make it persistent. But it's good enough now to just test it.
 

JohnD5000

Senior Member
I put it in the firewall-start script before the reboot, so that's what the above was from. Therefore, I think I should be good to go.
 

JohnD5000

Senior Member
Anything done from the command line will NOT show in the GUI. That's just the way it works.

Just wondering if you know if one of the AMTM addons (or maybe a non-AMTM addon) allows you to see these firewall rules added by the command line?
 

eibgrad

Part of the Furniture
Just wondering if you know if one of the AMTM addons (or maybe a non-AMTM addon) allows you to see these firewall rules added by the command line?

If by seeing them you mean in the GUI, No. The GUI doesn't offer a means to examine the firewall except for those features it directly manages (e.g., Network Services Filter). That's why it's preferable to NOT use the command line unless you have no other choice. And that was the case here. The best you can do is use a command line tool like SSH to dump the firewall, as I showed you.

That said, if some script writer comes along and adds a GUI feature for creating and managing firewall rules for purposes NOT currently available, that's a different story. Sometimes script writers make it a point to integrate their scripts into the GUI to satisfy this type of need (e.g., YazFi). But that requires a LOT of effort, and is only feasible when you have a well-defined feature requirement that will benefit a large number of users.

For one-off situations like yours, you just have to live w/ the fact the GUI doesn't make these changes visually evident.
 

JohnD5000

Senior Member
What would be the best way to stack 4 addresses (say 192.168.81.180, 192.168.81.185, 192.168.81.192, 192.168.81.200)?

Would I just create the 2 lines 4 times (with the addresses), or is there a way to combine the addresses in the 2 lines?


iptables -I INPUT -i br0 -s 192.168.81.180 -p tcp -m multiport --dports 139,445,8200 -m time --timestart 22:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
iptables -I INPUT -i br0 -s 192.168.81.180 -p tcp -m multiport --dports 139,445,8200 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
 

dave14305

Part of the Furniture
Use an ipset.
Bash:
ipset -! -q create sonsdevs hash:ip
ipset -! -q add sonsdevs 192.168.81.180
ipset -! -q add sonsdevs 192.168.81.185
ipset -! -q add sonsdevs 192.168.81.192
ipset -! -q add sonsdevs 192.168.81.200

iptables -I INPUT -i br0 -m set --match-set sonsdevs src -p tcp -m multiport --dports 139,445,8200 -m time --timestart 22:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
iptables -I INPUT -i br0 -m set --match-set sonsdevs src -p tcp -m multiport --dports 139,445,8200 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j REJECT
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top