Get off my lawn.

Using the WPS button to unblock a connected MAC in openwrt

My openwrt router (a loved TP-Link WDR4300) has this WPS button. Let's use it as something like it was intended.

I have a guest network on my router. It is password protected (WPA2), bandwidth-limited, internal network isolated, all the yada-yadas. But I do not want to have people connected that I don't know who it is, so I tought about this simple use of the WPS button: allow the latest MAC address connected to it.

Create a text file containing YOUR mac so you can keep connected (if this is your only access!) and some description (I put a date of creation):

echo "00:aa:bb:cc:dd:ee $(date)" > /etc/iptables-macs

Put this in /etc/firewall.user to enable the mac blocking for all MACs that are not in the text file, when refreshing the firewall:

while read mac date; do
  iptables -A forwarding_guest_rule -m mac --mac-source $mac -j ACCEPT
done < /etc/iptables-macs
iptables -A forwarding_guest_rule -j DROP

In this case, forwarding_guest_rule is the iptables chain because "guest" is my wlan0 network, as you may have guessed. Look for your zone lan forwarding chain name.

Create /etc/hotplug.d/button directory if it does not exist, and create a script called /etc/hotplug.d/button/buttons:

if [ "$BUTTON" = "wps" -a "$ACTION" = "pressed" ]; then
    macs=$(logread|grep "DHCPACK"|grep -o "[a-f0-9:]\{17\}"|sed '1!G;h;$!d')
    if [ -n "$macs" ]; then
        echo "$macs"|while read mac; do
            grep -q "$mac" /etc/iptables-macs && continue
            logger iptables: allowing MAC $mac
            iptables -I forwarding_guest_rule -m mac --mac-source $mac -j ACCEPT
            echo "$mac $(date)" >> /etc/iptables-macs
        logger iptables: no MAC found

Now, if you can read a little of shell script, this is very simple. I add a rule to DROP all forward connections coming from the guest zone (forwarding_guest_rule), and then just allow the MACs that are on the file. This only works here because the DHCP server logs the MAC address after it successfully gives an IP address, so this happens after when they are already connected and the IP address is given to them. Static IPs need to be put manually on the iptables-macs file.

Hope it can save you some time writing your own scripts.

Escrito por Eliphas em sábado outubro 29, 2016

Link permanente - Category: love - Tags: psychology, wtf, football, anime, mystery

« Novo site - Mikrotik time to seconds »