Hassio-Access-Point icon indicating copy to clipboard operation
Hassio-Access-Point copied to clipboard

Published 20 hours ago verified publisher icon mattlongman

add jail mac feature

Open ROBOT0-VT opened this issue 1 year ago • 0 comments

Discussed in https://github.com/mattlongman/Hassio-Access-Point/discussions/52

Originally posted by seancmalloy July 23, 2023 is there anyone out there that would help me add simple feature to this add-on. I need to drop traffic from certain mac addresses. this feature is required for localtuya so tuya devices dont have internet access.

heres what i got so far, still testing

dockerfile -

apk add --no-cache bash jq iw hostapd networkmanager networkmanager-cli net-tools sudo dnsmasq iptables ipset && \

COPY jail.txt /

config.json -

options
"deny_mac_internet": [],

schema
"deny_mac_internet": ["str"],

run.sh -

JAIL=/jail.txt
DENY_MAC_INTERNET=$(jq --raw-output '.deny_mac_internet | join(" ")' $JAIL)

if [ ${#DENY_MAC_INTERNET} -ge 1 ]; then
echo "$deny_mac_internet"$'\n' >> /jail.txt
ipset create JAIL hash:mac
ipset add JAIL -f /jail.txt
iptables-nft -A FORWARD -i $INTERFACE -m set --match-set JAIL -o eth0 -j DROP
fi

any help is appreciated

update - its seems that ipset set types support is not in the kernel

plan b

if [ ${#DENY_MAC_INTERNET} -ge 1 ]; then            
            MACDENIED=($DENY_MAC_INTERNET)
            for maclist in "${MACDENIED[@]}"; do
                echo "$maclist"$'\n' >> /jail.txt
                iptables-nft -A FORWARD -i $INTERFACE -m mac  ! --mac-source $maclist -o eth0 -j DROP
            done
fi

update - i included nano in add-on and confirmed that its not writing mac addresses to file. why? anyone have any ideas?

update - so i gave up on trying do it like this, so just added sh file with iptables rules that runs if new option is selected in config. it prevents tuya devices from accessing the internet so i can just use localtuya. if anyone is interested...

dockerfile -

COPY jail.sh /
RUN chmod a+x /jail.sh

jail.sh -

iptables-nft -A FORWARD -i wlan1 -m mac ! --mac-source xx:xx:xx:xx:xx -o eth0 -j DROP

config -

"options": {
"deny_mac_internet": "0",

"schema": {
"deny_mac_internet": "int",

run.sh -

DENY_MAC_INTERNET=$(jq --raw-output ".deny_mac_internet" $CONFIG_PATH)

if [ $DENY_MAC_INTERNET -eq 1 ]; then
   sh /jail.sh
   sleep 5
fi

ROBOT0-VT avatar Mar 26 '24 19:03 ROBOT0-VT