how do I kick a MAC address off my hostapd WiFi network?

Daevid Vincent daevid
Tue Oct 9 23:36:30 PDT 2007

I have my WiFi network on a hostapd controlled 10.10.10.* range and my
wired LAN on a 192.168.1.* range. 

I try to be a "nice guy" and leave the WiFi 'open' (no WEP) as it's
segregated and I use some proper shorewall rules to route things nicely
for my various privileged devices. Also, some WiFi devices I have just
don't support WEP, and it's a real hassle to get others working with

I don't mind the occasional person jumping on to check movie times or
traffic or get email or whatever. I think bandwidth should be free for
everyone and it is sure a life saver when you need to quickly get online
for something.

Anyways, sometimes I have stupid neighbors who don't quite "get it" and
will just blindly let their computers connect to my WAP. UGH! They sit
on it for hours and days and generally piss me off.

How can I boot someone off my network? I usually add them to my
shorewall blacklist file, and then:

/etc/init.d/dhcp restart
/etc/init.d/shorewall restart

But I still see them on there it seems.
(essentially it's doing an 'arp -n' and then I parse that info and make
it pretty)

daevid dhcp # arp -n
Address                  HWtype  HWaddress           Flags Mask
Iface               ether   00:06:25:12:4A:D8   C
wlan0              ether   00:19:7E:C5:02:AB   C
wlan0             ether   00:01:5C:23:D7:02   C
eth0              ether   00:02:6F:21:DF:5C   C
wlan0             ether   00:0C:F1:A8:F7:F3   C

I googled and found this little nugget that I thought would work:

# iptables -A FORWARD -m mac --mac-source 00:19:7E:C5:02:AB -j DROP

But I still see this squatter. And I can feel my network being sluggish
as they're probably downloading a lot of stuff.

More information about the Hostap mailing list