Restricting MAC addresses to specific hours

[drdr6]

Any ideas on how to restrict particular clients (by MAC address ideally) to specific service hours ?

dnsmasq doesn't seem to be able to do it; only other ideas seem to be using cron to load different iptables which seems a bit unwieldy and potentially difficult to test (i.e. get it wrong => brick the box)

thoughts anyone ?

[Gordon]

Actually, DNSmasq can be configured to assign static IPs to specific MAC addresses. By carefully selecting those addresses you can create subranges for iptables to check and use cron to add a rule that drops traffic from these clients within certain times:

Example:

Code: Select all

# Create user table DayTimeRestricted
iptables -N DayTimeRestricted
# Subject every address in 192.168.1.32-63 to rules in user table DayTimeRestricted
iptables -A -i eth1 -s 192.168.1.32/20 -j DayTimeRestricted

Deny access:

Code: Select all

# Add a REJECT rule to user table DayTimeRestricted
iptables -A DayTimeRestricted -j REJECT

Enable access

Code: Select all

# Flush all rules in user table DayTimeRestricted
# (in case Deny access was run more than once)
iptables -F DayTimeRestricted

Obviously this will not block any user that assigns a static address outside of this range, but luckily understanding networking still seems to be somewhat of a black spot to all those wonderkids doing stuff with PCs that make you feel dizzy in the head.

[DanielM]

Are we talking wired or wireless access here? I once wrote this guide in the wiki for configuring hostapd in B3 with MAC filtering: http://wiki.excito.org/wiki/index.php/M ... ss_network

And then you can simply add cron jobs for replacing /etc/hostapd/accept with different versions of the file depending on time of the day.

/Daniel