Parental control based on MAC addresses (AdvancedTomato on R7000)

Follow

favoninus1

October 02, 2016 12:06

Discovered a feasible way for parental control for individual MAC addresses. I have a Netgear R7000 with AdvancedTomato on it. In Administration > Scripts > Firewall add the following lines for each device (replace XY:XY:XY:XY:XY:XY by the MAC address of the device) you want to use the OpenDNS parental control:

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XY:XY:XY:XY:XY:XY -p udp --dport 53 -j DNAT --to 208.67.222.222

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XY:XY:XY:XY:XY:XY -p tcp --dport 53 -j DNAT --to 208.67.222.222

As an alternative - if you have access to OS level, you can enter the statement above as root.

To list the current settings:

iptables -t nat -L PREROUTING --line-numbers

To delete individual settings (replace nn by the line number you get by the list command):  

• iptables -t nat -D PREROUTING nn

Works great in our family - since months!

1

• 

  defconphil October 05, 2016 22:53

  ?

  0

  Comment actions Permalink
• 

  hal10000 October 06, 2016 02:35

  I use an ASUS RT-AC66U router.  This router has a build in interface that allows you to configure, by MAC address, which devices can have internet access and when.   Very useful if you want to shut down internet access for certain devices but not others. 

  0

  Comment actions Permalink
• 

  mattwilson9090 October 06, 2016 12:25

  @hal10000

  Security and filtering based upon MAC address is nearly worthless since anyone with administrator or root access can change the MAC address on the device with a minimal amount of effort and skill.

  0

  Comment actions Permalink
• 

  hal10000 October 06, 2016 12:55

  @mattwilson9090

  Hi Matt,

  Anyone with the right privileges and know-how (both are required) can get around any filtering/security. Still, I would respectfully disagree with your blanket statement for the following reasons.

  It all depends on what you are trying to secure and from whom. 

  1. As you said, "anyone with admin or root can change the MAC address.   In many cases, users (the average office worker) won't have admin or root access, and even fewer have the know-how to make such changes, so filtering via MAC can be quite effective.   The average office worker has no idea what a MAC address is, let alone how to change it. Someone in IT or software development... that's another story. 

  2. The original post was about parental controls.  In a home environment, MAC address filtering is very effective because the number of the family members with the right access and know-how is usually a small number, thus the person trying to circumvent the system can be readily identified.  :-) 

  MAC address filtering is certainly not a highly secure way of protecting data or restricting access, but, as part of a strategy, it does have its uses in certain cases. 

  0

  Comment actions Permalink
• 

  catmanexc April 29, 2020 16:38

  Hi favoninus1,

  I followed your instruction to use Administration, Scripts > Firewall but for some reason is not working. Am I missing a step? Something is not enabled?

  I reboot the router still no luck.

  O the other hand if I use Tools, Execute System Commands "Paste" and click on "Execute" works like a charm..... the only problem I lose everything when I restart the router.

  Same as, you a concerned parent.

  Please answer when you have a chance.

  Thank you.

  0

  Comment actions Permalink

Please sign in to leave a comment.