Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Siri -> HomeBridge -> HomeBridge-ssh -> iptables
{
"bridge": {
"name": "Homebridge",
"username": "26:DA:2E:73:48:28",
"port": 45525,
"pin": "937-19-468"
},
"description": "Raspberry Pi Zero",
"platforms": [{
"platform": "config",
"name": "Config",
"port": 8080,
"sudo": false
}],
"accessories": [{
"accessory": "SSH",
"name": "Wifes iPad",
"on": "/root/pc.sh ENABLE aa:aa:aa:aa:aa:aa",
"off": "/root/pc.sh DISABLE aa:aa:aa:aa:aa:aa",
"state": "/root/pc.sh STATE aa:aa:aa:aa:aa:aa",
"on_value": "ENABLED",
"exact_match": true,
"ssh": {
"user": "root",
"host": "1.1.1.1",
"port": 22,
"password": "your_root_password"
}
},
{
"accessory": "SSH",
"name": "Tims Laptop",
"on": "/root/pc.sh ENABLE bb:bb:bb:bb:bb:bb",
"off": "/root/pc.sh DISABLE bb:bb:bb:bb:bb:bb",
"state": "/root/pc.sh STATE bb:bb:bb:bb:bb:bb",
"on_value": "ENABLED",
"exact_match": true,
"ssh": {
"user": "root",
"host": "1.1.1.1",
"port": 22,
"password": "your_root_password"
}
}
]
}
This is a pretty simple setup:
Siri is used to control Homebridge using the HomeKit protocol.
Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.
There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table.
1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
2. Install homebridge and homebridge-ssh. You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
sudo -i npm install -g homebridge --unsafe-perm
sudo -i npm install -g homebridge-ssh --unsafe-perm
sudo -i npm install -g --unsafe-perm homebridge-config-ui-x
3. Build a shell script (pc.sh below) that will perform 3 functions:
enable a mac address (remove it from the firewall)
disable a mac address (adds it to the firewall)
checks the status of the mac address (iptables | grep)
4. Test the shell script before you get too far so you only have to troubleshoot one thing at a time...
5. Configure homebridge-ssh (config.json below) to call the shell script over SSH. Yeah, this version logs in as root, but its a first pass.
The next version will be configured for sudo.
config.json goes in your current users home directory under .homebridge/config.json
6. Start homebridge. My binary was in:
/opt/nodejs/bin/homebridge.
I opted to use the "-I" flag for insecure which allows modifying the accessories from a web UI on :8080. Totally up to you.
7. Register your new homekit accessory with the "home" app on IOS.
Just scan the QR code in your current console.
Notes:
The name of the device is the "name" in config.json. For the demo video the name was "Internet on Tim's Laptop" only because I wanted
the grammer to be correct. Siri will response with "the" infront of the device name.
When you start homebridge, make sure it says it found devices and loads them. If it doesn't, you have issues with your json. Syntax
issues can be identified with jsonlint.com, but deeper config issues may be harder to troubleshoot. I was missing [] around the
accessories field and it drove me crazy for a while.
[2018-12-1 02:35:07] Loaded config.json with 4 accessories and 1 platforms.
[2018-12-1 02:35:08] Loading 1 platforms...
[2018-12-1 02:35:09] Loading 4 accessories...
I chose to insert the firewall rule at the top of the FORWARD table so it kills all connections instantly. If you add it to a zone
specific forward on OpenWrt, the ESTABLISHED,RELATED rule is still in effect so they can continue browsing the same site, watch
youtube videos, etc until the TCP session times out. Either way, figure out where you want it.
For other parental controls, they're served OpenDNS servers that are a first line of defense at being kid-safe. No content filters or
anything, just high level DNS blocking.
Thats pretty much it. Siri talks to homebridge over the homekit protocol, homebridge implements the homebridge-ssh module that calls a
shell script on a remote box for enabling and disabling firewall rules.
#!/bin/ash
#runs on OpenWrt. YMMV
STATE=$1
MAC=$2
TABLE=FORWARD
function state {
iptables -nvL $TABLE | grep -q -i $MAC
if [ $? -eq 0 ];
then
echo DISABLED
else
echo ENABLED
fi
}
case $STATE in
ENABLE)
IPTCOMMAND=-D
;;
DISABLE)
IPTCOMMAND=-I
;;
STATE)
state $MAC
exit 0
;;
*)
exit 1
;;
esac
iptables $IPTCOMMAND $TABLE -m mac --mac-source $MAC ! -d 192.168.254.1/24 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment