search

mattlongman / Hassio-Access-Point

Hass.io addon to let you create a WiFi access point, perfect for using WiFi devices on off-grid installations.
MIT License
91 stars 64 forks source link

add jail mac feature #72

Open ROBOT0-VT opened 6 months ago

ROBOT0-VT commented 6 months ago

Discussed in https://github.com/mattlongman/Hassio-Access-Point/discussions/52

Originally posted by **seancmalloy** July 23, 2023 is there anyone out there that would help me add simple feature to this add-on. I need to drop traffic from certain mac addresses. this feature is required for localtuya so tuya devices dont have internet access. heres what i got so far, still testing dockerfile - ``` apk add --no-cache bash jq iw hostapd networkmanager networkmanager-cli net-tools sudo dnsmasq iptables ipset && \ COPY jail.txt / ``` config.json - ``` options "deny_mac_internet": [], schema "deny_mac_internet": ["str"], ``` run.sh - ``` JAIL=/jail.txt DENY_MAC_INTERNET=$(jq --raw-output '.deny_mac_internet | join(" ")' $JAIL) if [ ${#DENY_MAC_INTERNET} -ge 1 ]; then echo "$deny_mac_internet"$'\n' >> /jail.txt ipset create JAIL hash:mac ipset add JAIL -f /jail.txt iptables-nft -A FORWARD -i $INTERFACE -m set --match-set JAIL -o eth0 -j DROP fi ``` any help is appreciated update - its seems that ipset set types support is not in the kernel plan b ``` if [ ${#DENY_MAC_INTERNET} -ge 1 ]; then MACDENIED=($DENY_MAC_INTERNET) for maclist in "${MACDENIED[@]}"; do echo "$maclist"$'\n' >> /jail.txt iptables-nft -A FORWARD -i $INTERFACE -m mac ! --mac-source $maclist -o eth0 -j DROP done fi ``` update - i included nano in add-on and confirmed that its not writing mac addresses to file. why? anyone have any ideas? update - so i gave up on trying do it like this, so just added sh file with iptables rules that runs if new option is selected in config. it prevents tuya devices from accessing the internet so i can just use localtuya. if anyone is interested... dockerfile - ``` COPY jail.sh / RUN chmod a+x /jail.sh ``` jail.sh - ``` iptables-nft -A FORWARD -i wlan1 -m mac ! --mac-source xx:xx:xx:xx:xx -o eth0 -j DROP ``` config - ``` "options": { "deny_mac_internet": "0", "schema": { "deny_mac_internet": "int", ``` run.sh - ``` DENY_MAC_INTERNET=$(jq --raw-output ".deny_mac_internet" $CONFIG_PATH) if [ $DENY_MAC_INTERNET -eq 1 ]; then sh /jail.sh sleep 5 fi ```