[gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Daevid Vincent]

I have my WiFi network on a hostapd controlled 10.10.10.* range and my
wired LAN on a 192.168.1.* range. 

I try to be a "nice guy" and leave the WiFi 'open' (no WEP) as it's
segregated and I use some proper shorewall rules to route things nicely
for my various privileged devices. Also, some WiFi devices I have just
don't support WEP, and it's a real hassle to get others working with
WEP. 

I don't mind the occasional person jumping on to check movie times or
traffic or get email or whatever. I think bandwidth should be free for
everyone and it is sure a life saver when you need to quickly get online
for something.

Anyways, sometimes I have stupid neighbors who don't quite "get it" and
will just blindly let their computers connect to my WAP. UGH! They sit
on it for hours and days and generally piss me off.

How can I boot someone off my network? I usually add them to my
shorewall blacklist file, and then:

/etc/init.d/dhcp restart
/etc/init.d/shorewall restart

But I still see them on there it seems.
http://daevid.com/examples/dhcp
(essentially it's doing an 'arp -n' and then I parse that info and make
it pretty)

daevid dhcp # arp -n
Address                  HWtype  HWaddress           Flags Mask
Iface
10.10.10.7               ether   00:06:25:12:4A:D8   C
wlan0
10.10.10.27              ether   00:19:7E:C5:02:AB   C
wlan0
67.168.160.1             ether   00:01:5C:23:D7:02   C
eth0
10.10.10.69              ether   00:02:6F:21:DF:5C   C
wlan0
192.168.1.18             ether   00:0C:F1:A8:F7:F3   C
eth1

I googled and found this little nugget that I thought would work:
http://www.linuxforums.org/forum/linux-newbie/5752-dhcpd-iptables-deny-m
ac-addresses.html

# iptables -A FORWARD -m mac --mac-source 00:19:7E:C5:02:AB -j DROP

But I still see this squatter. And I can feel my network being sluggish
as they're probably downloading a lot of stuff.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Alan McKinnon]

On Wednesday 10 October 2007, Daevid Vincent wrote:
> Anyways, sometimes I have stupid neighbors who don't quite "get it"
> and will just blindly let their computers connect to my WAP. UGH!
> They sit on it for hours and days and generally piss me off.
>
> How can I boot someone off my network? I usually add them to my
> shorewall blacklist file, and then:

You run dhcp? Just exclude that MAC address from getting a lease.

No IP address = no route = problem solved

For a second level of teach-them-a-lessonness, iptables has a 'mac' 
extension. Use that to match the MAC address and DROP all patches in 
your outgoing firewall FORWARD chain

alan

-- 
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Ow Mun Heng]

On Wed, 2007-10-10 at 10:10 +0200, Alan McKinnon wrote:
> On Wednesday 10 October 2007, Daevid Vincent wrote:
> > Anyways, sometimes I have stupid neighbors who don't quite "get it"
> > and will just blindly let their computers connect to my WAP. UGH!
> > They sit on it for hours and days and generally piss me off.
> >
> > How can I boot someone off my network? I usually add them to my
> > shorewall blacklist file, and then:
> 
> You run dhcp? Just exclude that MAC address from getting a lease.
> 
> No IP address = no route = problem solved
> 
> For a second level of teach-them-a-lessonness, iptables has a 'mac' 
> extension. Use that to match the MAC address and DROP all patches in 
> your outgoing firewall FORWARD chain

Better yet.. redirect them to a (random) page that shows everything
about cats.

I read this one from google.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2059 bytes --]

On Wednesday 10 October 2007, Ow Mun Heng wrote:
> On Wed, 2007-10-10 at 10:10 +0200, Alan McKinnon wrote:
> > On Wednesday 10 October 2007, Daevid Vincent wrote:
> > > Anyways, sometimes I have stupid neighbors who don't quite "get it"
> > > and will just blindly let their computers connect to my WAP. UGH!
> > > They sit on it for hours and days and generally piss me off.
> > >
> > > How can I boot someone off my network? I usually add them to my
> > > shorewall blacklist file, and then:
> >
> > You run dhcp? Just exclude that MAC address from getting a lease.
> >
> > No IP address = no route = problem solved
> >
> > For a second level of teach-them-a-lessonness, iptables has a 'mac'
> > extension. Use that to match the MAC address and DROP all patches in
> > your outgoing firewall FORWARD chain
>
> Better yet.. redirect them to a (random) page that shows everything
> about cats.
>
> I read this one from google.

Since you mention Google, I remember reading about a NASA style AP 
authentication which may be of interest to the OP:

Essentially you run a web server with SSL authentication so that only users 
who authenticate with user name/passwd that you have provided, are issued 
with an IP address by your dhcp server.  In this way you can control who's 
using your bandwidth; what they use it for; e.g. only mail; or mail & http; 
etc.  If you are interested in providing this as a service then you issue 
usernames/passwds to applicants via email.  Additionally, you can run QoS and 
throttle http, or bitorrent (ab)users, a proxy caching server, and what not.

PS. Where I live I have to pay for bandwidth (although where I currently work 
I don't).  So your concept of offering bandwidth for free seems somewhat 
strange to me.  Furthermore, I would be concerned what different people may 
be using the Internet for and what trouble I could get into, for being the 
registered owner of the particular public IP address.  That said, I would 
looove being your neighbor!  :)
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Daevid Vincent]

> -----Original Message-----
> I was wondering what would happen if someone downloaded some music
> illegally or some child porn?  How would you prove it was them and not
> you?  Being a good neighbor is nice but you need to be 
> careful for sure.

Dunno. I suppose I'd show some logs from the DHCPd server or HostAPd or
something that showed the MAC addresses used at that particular time of the
infraction?

How do Coffee shops handle that? They have open WiFi -- many of them (here
in Seattle at least), you can just jump on from anywhere. Hell there are
about 12 WAP right here in my building that I can see and several are not
WEP or WPA. When our network goes down, sometimes I just jump on them. :)

Besides, most sites that actually LET you download these days require some
sort of login anyways. So that hypothetical person in your scenario would
have that on their computer, whereas I would not. ;-p

I don't really think about it too much.

I've thought about setting up a "hotel page" type system, but it's just one
more thing I don't have time to futz with. If push came to shove, I'd just
start blacklisting ALL MAC's (or I should say whitelisting *my* MACs
actually).

I'd really like to be part of a mesh, but where I live I'm in the middle of
suburbia.

D.Vin
http://daevid.com 
(check out the free code section!)

-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Albert Hopkins]

On Wed, 2007-10-10 at 16:50 -0700, Daevid Vincent wrote:
> > -----Original Message-----
> > I was wondering what would happen if someone downloaded some music
> > illegally or some child porn?  How would you prove it was them and not
> > you?  Being a good neighbor is nice but you need to be 
> > careful for sure.
> 

Search Google for "if someone uses your property to commit a crime" and,
somewhat surprisingly, the first hit you get is this:

http://www.techdirt.com/articles/20060320/1636238.shtml


--
Albert W. Hopkins

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 806 bytes --]

Hello Albert Hopkins,

> Search Google for "if someone uses your property to commit a crime" and,
> somewhat surprisingly, the first hit you get is this:
> 
> http://www.techdirt.com/articles/20060320/1636238.shtml

As it says, you could be arrested. you may not be charged, but your
arrest would be on record. that wouldn't be so bad if someone had used
your network to download music, but what about kiddie porn, or visiting
al-Quaeda related web sites?

Once you get into that area, all pretense of presumption of innocence and
reasonable doubt goes out of the window. If you can't prove conclusively
that it wasn't you, you will end up on a watch list. Maybe you still end
up on it if you can prove it wasn't you.


-- 
Neil Bothwick

One-seventh of your life is spent on Monday.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Dan Farrell]

On Wed, 10 Oct 2007 16:50:30 -0700
"Daevid Vincent" <daevid@daevid.com> wrote:

> I've thought about setting up a "hotel page" type system, but it's
> just one more thing I don't have time to futz with. If push came to
> shove, I'd just start blacklisting ALL MAC's (or I should say
> whitelisting *my* MACs actually).
> 
> I'd really like to be part of a mesh, but where I live I'm in the
> middle of suburbia.

MAC addresses can be spoofed, and, i've been convinced, sniffed out
very easily.  MAC address filterning isn't safe, but does make sure
anyone abusing your net the way we're talking about here uses your mac
addresses and not their own.

on the other hand, you could make them digitally agree to a user
agreement and I bet that would go a long way in court.  

I've been wondering about this too.  I'm trying to think of a way to
integrate a webpage with server routing and such.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Ted Ozolins]

Dale wrote:
> Mick wrote:
>> PS. Where I live I have to pay for bandwidth (although where I currently work 
>> I don't).  So your concept of offering bandwidth for free seems somewhat 
>> strange to me.  Furthermore, I would be concerned what different people may 
>> be using the Internet for and what trouble I could get into, for being the 
>> registered owner of the particular public IP address.  That said, I would 
>> looove being your neighbor!  :)
>>   
> 
> I was wondering what would happen if someone downloaded some music
> illegally or some child porn?  How would you prove it was them and not
> you?  Being a good neighbor is nice but you need to be careful for sure.
> 
> Just a thought.
> 
> Dale
> 
> :-)  :-)  :-)
It all depends in what country you live in. In Canada you can
download/upload all the music you want legally,( we've paid for it ten
times over via a levy against all recording media) as for illegal
material, if its not on your computer, its not in your possession.

Cheers.
Ted Ozolins  (VE7TVO)
Cranbrook, BC

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Dan Farrell]

On Wed, 10 Oct 2007 18:07:19 -0600
Ted Ozolins <ted1@telus.net> wrote:

> In Canada you can
> download/upload all the music you want legally,( we've paid for it ten
> times over via a levy against all recording media)

huh?  would you do just a little elaborating?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[Ophidian]

Dan Farrell wrote:
> On Wed, 10 Oct 2007 18:07:19 -0600
> Ted Ozolins <ted1@telus.net> wrote:
> 
>> In Canada you can
>> download/upload all the music you want legally,( we've paid for it ten
>> times over via a levy against all recording media)
> 
> huh?  would you do just a little elaborating?

In Canada there is a levy/tax on all blank media (CD's, DVD's, it may be
extended to flash media and ipods in the near future).  This money is
then distributed to artists to compensate them for money lost due to
copying of their music under the Private Copying provision of the
Copyright Act.  There have been a number of court rulings that strongly
indicate uploading/downloading of music in Canada falls under this
provision, although to my knowledge there has not been a direct
challenge of this fact as of yet (I suspect mostly because the CRIA
knows they would lose).

More info:
http://en.wikipedia.org/wiki/Private_copying_levy#Canada
http://www.michaelgeist.ca/content/view/2238/125/
http://laws.justice.gc.ca/en/showdoc/cs/C-42/bo-ga:l_VIII//en#anchorbo-ga:l_VIII 

  (NOTE: This last link is to the Private Copying section of the
Copyright Act)

Ophi

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT: how do I kick a MAC address off my hostapd WiFi network?

[dexter]

Your iptables rule is almost ok, if I were you i'd do something like this:

iptables -t nat -A PREROUTING -m mac --mac-source 00:19:7E:C5:02:AB -j DROP

and
iptables -A INPUT -m mac --mac-source 00:19:7E:C5:02:AB -j DROP

That should do the job

Daevid Vincent pisze:
> I have my WiFi network on a hostapd controlled 10.10.10.* range and my
> wired LAN on a 192.168.1.* range. 
>
> I try to be a "nice guy" and leave the WiFi 'open' (no WEP) as it's
> segregated and I use some proper shorewall rules to route things nicely
> for my various privileged devices. Also, some WiFi devices I have just
> don't support WEP, and it's a real hassle to get others working with
> WEP. 
>
> I don't mind the occasional person jumping on to check movie times or
> traffic or get email or whatever. I think bandwidth should be free for
> everyone and it is sure a life saver when you need to quickly get online
> for something.
>
> Anyways, sometimes I have stupid neighbors who don't quite "get it" and
> will just blindly let their computers connect to my WAP. UGH! They sit
> on it for hours and days and generally piss me off.
>
> How can I boot someone off my network? I usually add them to my
> shorewall blacklist file, and then:
>
> /etc/init.d/dhcp restart
> /etc/init.d/shorewall restart
>
> But I still see them on there it seems.
> http://daevid.com/examples/dhcp
> (essentially it's doing an 'arp -n' and then I parse that info and make
> it pretty)
>
> daevid dhcp # arp -n
> Address                  HWtype  HWaddress           Flags Mask
> Iface
> 10.10.10.7               ether   00:06:25:12:4A:D8   C
> wlan0
> 10.10.10.27              ether   00:19:7E:C5:02:AB   C
> wlan0
> 67.168.160.1             ether   00:01:5C:23:D7:02   C
> eth0
> 10.10.10.69              ether   00:02:6F:21:DF:5C   C
> wlan0
> 192.168.1.18             ether   00:0C:F1:A8:F7:F3   C
> eth1
>
> I googled and found this little nugget that I thought would work:
> http://www.linuxforums.org/forum/linux-newbie/5752-dhcpd-iptables-deny-m
> ac-addresses.html
>
> # iptables -A FORWARD -m mac --mac-source 00:19:7E:C5:02:AB -j DROP
>
> But I still see this squatter. And I can feel my network being sluggish
> as they're probably downloading a lot of stuff.
>
>   
-- 
gentoo-user@gentoo.org mailing list