quota and mac addresses

[ispyisail]

or just wait for my mirror to come online

http://www.gargoyle-router.com/phpbb/vi ... =14&t=8267

[ispyisail]

Typical

10 people have downloaded but there are only 4 seeds (2 are mine)

I don't mind sharing my bandwidth for the cause but I get a little grumpy when its still not good enough..........

[ispyisail]

does the new firmware work as expected?

[Tareq]

(gargoyle-ispy 2016-January-24 01:04) enforce_dhcp_assignments still not working

/www$ uci show firewall.@defaults[0]
firewall.cfg02e63d=defaults
firewall.cfg02e63d.syn_flood='1'
firewall.cfg02e63d.input='ACCEPT'
firewall.cfg02e63d.output='ACCEPT'
firewall.cfg02e63d.forward='REJECT'
firewall.cfg02e63d.block_static_ip_mismatches='1'
firewall.cfg02e63d.enforce_dhcp_assignments='1'


i want to block all MACs that not exist in (DHCP Leases) list, how can i do this ?

[nworbnhoj]

(gargoyle-ispy 2016-January-24 01:04) enforce_dhcp_assignments still not working

/www$ uci show firewall.@defaults[0]
firewall.cfg02e63d=defaults
firewall.cfg02e63d.syn_flood='1'
firewall.cfg02e63d.input='ACCEPT'
firewall.cfg02e63d.output='ACCEPT'
firewall.cfg02e63d.forward='REJECT'
firewall.cfg02e63d.block_static_ip_mismatches='1'
firewall.cfg02e63d.enforce_dhcp_assignments='1'

Thank you for testing

block_static_ip_mismatches is now redundant. Doesn't really matter, but you can delete it with

Code: Select all

uci del firewall.@defaults[0].block_static_ip_mismatches

please post the output of

Code: Select all

iptables -t filter -L lease_mismatch_check

[Tareq]

iptables -t filter -L lease_mismatch_check

Code: Select all

/etc$ iptables -t filter -L lease_mismatch_check
Chain lease_mismatch_check (1 references)
target     prot opt source               destination         
REJECT     all  -- !Bab_Lab              anywhere             MAC 00:~:31 reject-with icmp-port-unreachable
REJECT     all  -- !Rep_2taha            anywhere             MAC 00:~:11 reject-with icmp-port-unreachable
REJECT     all  -- !taha_mob2            anywhere             MAC 04:~:03 reject-with icmp-port-unreachable
REJECT     all  -- !Taha_rep             anywhere             MAC 06:~:11 reject-with icmp-port-unreachable
REJECT     all  -- !talal_Ext            anywhere             MAC 10:~:FD reject-with icmp-port-unreachable
REJECT     all  -- !Trq_Ext              anywhere             MAC 10:~:D1 reject-with icmp-port-unreachable
REJECT     all  -- !Sl_pc                anywhere             MAC 1C:~:75 reject-with icmp-port-unreachable
REJECT     all  -- !Dllf                 anywhere             MAC 2C:~:84:CF reject-with icmp-port-unreachable
REJECT     all  -- !GML                  anywhere             MAC 38:~:B2 reject-with icmp-port-unreachable
REJECT     all  -- !Moh		         anywhere             MAC 48:~:DB reject-with icmp-port-unreachable
REJECT     all  -- !Slw_taha             anywhere             MAC 50:~:34 reject-with icmp-port-unreachable
REJECT     all  -- !Talal                anywhere             MAC 60:~:CF reject-with icmp-port-unreachable
REJECT     all  -- !TRQ                  anywhere             MAC 68:~:37 reject-with icmp-port-unreachable
REJECT     all  -- !Sadam                anywhere             MAC 6C:~:A2 reject-with icmp-port-unreachable
REJECT     all  -- !Taha_pc              anywhere             MAC 70:~:5F reject-with icmp-port-unreachable
REJECT     all  -- !Taha_mob             anywhere             MAC 80:~:AA reject-with icmp-port-unreachable
REJECT     all  -- !FTN                  anywhere             MAC 90:~:B1 reject-with icmp-port-unreachable
REJECT     all  -- !Ebrahim              anywhere             MAC 94:~:05 reject-with icmp-port-unreachable
REJECT     all  -- !shop_modem           anywhere             MAC B0:~:D9 reject-with icmp-port-unreachable
REJECT     all  -- !Mm_Mob               anywhere             MAC B0:~:59 reject-with icmp-port-unreachable
REJECT     all  -- !Bb_Mob               anywhere             MAC B4:~:3E reject-with icmp-port-unreachable
REJECT     all  -- !Mm_Lab               anywhere             MAC CC:~:A9 reject-with icmp-port-unreachable
REJECT     all  -- !Dn                   anywhere             MAC F0:~:F0 reject-with icmp-port-unreachable

Hide My MACs , for precaution from forum.

[nworbnhoj]

Yep @tarac - thank you - I think that I understand what is going on with this now.

The current iptable rules block a known MAC address who is using a different IP address. We need to add the compliment that blocks an assigned IP address from a different (unknown) MAC address. easy fix.

[Tareq]

Yep @tarac - thank you - I think that I understand what is going on with this now.

The current iptable rules block a known MAC address who is using a different IP address. We need to add the compliment that blocks an assigned IP address from a different (unknown) MAC address. easy fix.

yes, That's what I talked about from the beginning



Enforce_dhcp_assignments working if.

if device MAC address exist in (Assigned Static IP Addresses) list and trying to assign from other MAC, the gargoyle block it fine.


I think it need to add option, block any device MAC address not exist in (Assigned Static IP Addresses) list. it work fine.

[nworbnhoj]

yes, That's what I talked about from the beginning

Yes - I got it half backwards. I thought that the original code was only doing half the job - turns out is was only doing a quarter of the job

[nworbnhoj]

Hey @Tareq, user @roadhawk has just identified a typo of mine that might finally fix your issue.

Try making the following correction to gargoyle_firewall_util.sh

Code: Select all

for p in $pairs ; do
	local mac
	local ip
	mac=$(echo $p | sed 's/\^.*$//g')
	ip=$(echo $p | sed 's/^.*\^//g')
	if [ -n "$ip" ] && [ -n "$mac" ] ; then
		iptables -t filter -A lease_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
		iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac --mac-source ! "$mac"  -j REJECT
	fi
done

Note the position of the ! in the 8th line.