Hello
I have a little problem with the LEDE 17.01.4 r3560 firewall.
I want to cut off internet for some mac address at specific times.
I created a file cronfw.sh with inside:
#!/bin/sh
Insert rule for forwarding established connection traffic, just before the final rule (reject)
new_rule_num=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -c1)
iptables -I FORWARD $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Delete first rule for forwarding established connection traffic
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -c1 | sed -n 1p)
iptables -D FORWARD $old_rule_num
I installed the file cronfw.sh in ect/ with scp
I added in the screduled task: */5 * * * * * * /etc/cronfw.sh
Then I created my rules
It works but not completely:
the internet is allowed at the right time and cut off at the right time but not current connections
I explain myself: if a new request is made after the hour this one is cut but a connection in progress, like a download / streaming / games session ect, is not cut.
I am forced to make a restart of the firewall in lede system/startup
Hi, I realise there has been no traffic here for sometime. I was following the instructions on https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls and couldn't get it to work. It turns out that this was because I had set drop_invalid to 1 in my /etc/config/firewall rules which created an additional line that also needs to be moved.
I therefore added the following to the script - can the page be updated please?
check=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
if [ $check -gt 0 ]; then
rule_del=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -d ' ' -f 1)
iptables -I FORWARD $rule_del -m conntrack --ctstate invalid -j DROP
rule_del=$(iptables -v -L FORWARD --line-numbers | grep INVALID | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $rule_del
# Get rid of any duplicate INVALID rules (these seem to be caused when restarting the firewall)
count=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
while [ $count -gt 1 ]; do
rule_num=$(iptables -v -L FORWARD --line-numbers | grep INVALID | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $rule_num
count=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
done
fi