MAC Filtering uhttp port 80

DopW · April 3, 2020, 12:18pm

Hi,

I want to block some MAC address to access my WebServer.

I followed this tutorial Link

and in /etc/config/firewall I got

config rule
	option enabled '1'
	option name '-Locked'
	option src_mac 'devicemac'
	option target 'REJECT'
	option proto 'all'
	option src '*'
	option dest '*'

But I still can connect to my webserver on port 80.
I want to lock the src_mac and that it cannot reach the webserver.
What am I doing wrong?

trendy · April 3, 2020, 12:23pm

MAC address has link validity only. If you are trying to block some MAC from the wan and your server is in the lan it won't work. For that you'll need IP address.
Also src '*' and dst '*' doesn't look very elegant, you'd better make it more specific.

DopW · April 3, 2020, 12:28pm

Thank you for your reply.
So how do I set the rule if I want to block MAC device AA and this device cannot reach webserver on IP 192.168.1.1 ?

jow · April 3, 2020, 12:32pm

The problem is option dest '*'. As soon as any dest is specfied, the firewall will create a forward rule. But in order to prevent access to uhttpd you need an input rule.

Remove option dest '*' and it should work.

trendy · April 3, 2020, 12:33pm

Where is the device located? In the LAN? In the internet? The 192.168.1.1 belongs to the OpenWrt router or some other host?

DopW · April 3, 2020, 12:41pm

I did this:

config rule
	option enabled '1'
	option src_mac 'deviceMAC'
	option target 'REJECT'
	option proto 'all'
	option name 'Locked'
	option src 'lan'
	option dest_ip '192.168.20.1'
	option dest_port '80'
	option src_ip '192.168.20.0/24'

Now if I try to set an IP in 192.168.20.0/24 on device mac I cannot reach the webserver.

Is it correct?

Is it possible to do the opposite? Allow only this device with this MAC to reach the WebServer and all other device with a different MAC are not allowed?

trendy · April 3, 2020, 1:06pm

You didn't answer my questions, so it is hard to help you.

DopW · April 3, 2020, 1:10pm

Sorry,

device is in the LAN, and IP of WebServer is 192.168.20.1:80.
IP belongs to the OpenWRT router.

trendy · April 3, 2020, 6:54pm

There you go

config rule
	option enabled '1'
	option src_mac '00:0U:5B:PO:CB:RT'
	option target 'REJECT'
	option proto 'tcp'
	option name 'Block HTTP'
	option src 'lan'
	option dest_port '80'

DopW · April 7, 2020, 12:54pm

Thanks! it works correctly!

What if I want to allow only this device 00:0U:5B:PO:CB:RT to reach the WebServer and block all the others device(MAC address)?
Is it possibile to provide also a list i.e. allow devices that MAC starts with 00:0U:5B:* ?

trendy · April 7, 2020, 12:58pm

Change the option target to ACCEPT for this mac and below make another rule to REJECT dest_port 80 from lan.
I don't think you can use wildcard on mac address, you'll have to make a rule for each mac you want to permit.