Time based access control with iptables, cron and at

Until today I handled scheduled internet access for my daughters devices via my Apple AirPort Extreme that is configured as a bridge between my wired and my wireless network at home.

This setup has worked flawlessly for quite some time. There is one catch to this set up though. Each time I want to make an exception to the time based internet access rules I need to reconfigure and restart the AirPort Extreme. The restart takes a minute or two during which there is no wireless network for anyone at home. I guess that you can relate to the sheer panic that occurs in our home during that time.

The router/firewall/server/etc that I run at home is a Ubuntu 16.04 box running on a physical machine with two network cards. This machine now handles the time based internet access.

I decided to use iptables, cron and at in a small shell script, that you can find at the end of this article, since they are all proven tools that I am familiar with.

The reason that I decided to block MAC addresses instead of IP addresses is that I run DHCP on my LAN and that it is much harder to spoof a MAC address than to change a IP address.

The script blocks all traffic from the MAC addresses that are configured in the beginning of the script from sending traffic out on to the internet. The internal network with my internal services such as fileserver, DNS, NTP etc is still available to the devices, only access to and from the Internet is blocked.

In the initial comment section there is a box of text that you can add to your crontab with “crontab -e”.

Leave a Reply

Your email address will not be published.