Domoticz for Internet Parental Control (Access)

[AlleyCat]

Hi there,
I want to share my scripts for setting the Domoticz to control Internet access for all of my kid's devices. This ability alone is the most important feature why I use Domoticz, and now my life "depends" on it.

In principle, I want to control access to the Internet with a flick of a button on my Phone. Just like a good French guillotine - chop, and internet the is gone. Imagine the face of your kid the first time you say - "if you don't take the dog out in the morning your internet is out." And then you take the phone, push a button, and the Youtube stops, access is denied, and your kid's tablet is dead like a brick. Imagine what else can you do? In my home, the kid has no internet until a) he takes the dog out; b) fixes his bed; c) gets his bag ready for school; d) and eats breakfast. Then he ASKS for the internet, and after I confirm that all that he needs to do is accomplished, I turn the internet on from my phone. Here is the best part, at 08:35 every weekday the Internet goes OFF automatically because he needs to get out of the house on time. I need to do nothing and no more arguments.

Note: the internet must be VERY importnat to your kid. Otherwise, this may not work. LOL

I think you get the point and perhaps got interested. If you are interested, here is how I did it. I am requesting and accepting any ideas to improve my implementation.

Router:
I installed a Router that handles SSH connections like DD-WRT, OpenWRT etc. The Router's software installation and configuration is beyond the scope of my post. If you know how to set a router that can handle SSH commends than you will be able to use the information to set your own parental control.

Firewall:
DD-WRT is using iptables. To control of the rules based on device MAC address.

In the router, I created default access rules for every internet devices my kid has. In DD WRT this feature is located at Access Restrictions -> Access Policy.

There are ten (10) groups available. I used Group 10 to default and disble access to all of my kid's devices. This creates the rules into iptables, which allow me to use the script below to replace the access. The bonus is if my router reboots, the internet for my kid is off by default.

For each device, iptables will create two entries. I am not an expert in firewall commands; but, I found that by changing the first rule I can control the router's firewall perisison.

iptables -L will list all the rules under group_10 and will give you the device's target number

Filename: switch_internet.sh

#!/bin/sh
ssh [email protected] iptables -R $1 $2 -p 0 -m mac --mac-source $3 -j $4

$1 is the iptables group (in my case I created default entries with grp_10)
$2 is the iptables target device (the first device will be 1, the second device will be 3, thirds device will be 5, etc.)
$3 is the device's MAC address
$4 is the Rule (ACCEPT or REJECT). I am using REJECT because the router drops the packet immediately and returns failure)

Make a directory for the script in ~/domoticz/scripts/internet
chomd a+x switch_internet.sh

SSH:
For the script to work you must be able for ssh access with no authentication. I do this for both root and pi users.

What I do is creating private/public keys to allow the root on my Domoticz server to send the commands to the router without authentication.
1) On the Domoticz, su root
2) Run ssh-keygen -t rsa
3) Do not enter any password when keys are generated.
4) Copy the public key cat /root/.ssh/id_rsa.pub and copy the entire key.
5) Authentication to the DD WRT router -> Services -> Authorized Keys, and paste the key. Save and apply the changes.
6) I do the same process to the pi user.
7) From the Domoticz server, ssh [email protected] and press enter to accept the key. After the first login, the SSH will be without any password or prompt, and this is what we need.
8) I do the passwordless authentication for both the pi and root accounts. Generate keys for the pi user, copy the public key to the router, perform one manual authentication to accept keys, and you are done.

If you accomplished everything so far, you are almost done.

Domoticz:
This is the easy part.
1) Create a Dummy switch to control the internet access
2) Type the following commands:
On Action: script://internet/switch_internet.sh grp_10 1 24:24:ZZ:FF:CC:AA ACCEPT
Off Action: script://internet/switch_internet.sh grp_10 1 24:24:ZZ:FF:CC:AA REJECT

Put the real MAC addresses for each device, and replace the number 1 with 3 or 5 depends on the iptables location of that device.

This will turn the firewall rules on and off.

In a different post, I requested for help with a script that notifies me when a switch is on outside of the Timers set. This will allow me to get notifications every set interval (for example 10 min) that I turned on the internet manually and perhaps it is time to turn it off.

The concepts here are simple but are working. I was thinking to set other scripts that can also read the iptables and return status notifications. This is however beyond my scripting skills. Bergpas someone would want to improve this concept using any of the new dzVents scripts. This is why I am posting this post on this dzVents sub-forum.

It worth the efforts to set this up.

Thank you all,

Alley Cat.

[Eddiever]

Nice but I use the Fingbox for this. Too bad my daughter has also data to her mobile and knows the wifi password of my neighbours

[snellejellep]

I was searching for something like this but use ubnt so this will not work, but great job for the ones using wrt

[ogden]

Hey, Can I use it in Australia for my kids?

[emme]

I Had dd-wrt before and it was just exactely what I was looking for!
your approach is the right way (I also really appreciate the education and the earns you are teaching to your son, but this is my personal opinion) even if there is a big lack in security which is the no authentication between the Domoticz Server and the router.
By a pure security point of view (assuming you have exposed your domoticz to the internet) and theoretically speaking, you have virtually grant access to your router to anyone.
But I like your way!

Actually I've moved to avm fritz... which has an option like that (even if I do not think it is updatable via command but also via UI)
Ciao
M