NotMedic · December 2, 2018 02:29
diff --git a/config.json b/config.json
 {
 	"bridge": {
 		"name": "Homebridge",
 		"username": "26:DA:2E:73:48:28",
 		"port": 45525,
 		"pin": "937-19-468"
 	},
 	"description": "Raspberry Pi Zero",
 	"platforms": [{
 		"platform": "config",
 		"name": "Config",
 		"port": 8080,
 		"sudo": false
 	}],
 	"accessories": [{
 			"accessory": "SSH",
 			"name": "Wifes iPad",
 			"on": "/root/pc.sh ENABLE aa:aa:aa:aa:aa:aa",
 			"off": "/root/pc.sh DISABLE aa:aa:aa:aa:aa:aa",
 			"state": "/root/pc.sh STATE aa:aa:aa:aa:aa:aa",
 			"on_value": "ENABLED",
 			"exact_match": true,
 			"ssh": {
 				"user": "root",
 				"host": "1.1.1.1",
 				"port": 22,
 				"password": "your_root_password"
 			}
 		},
 		{
 			"accessory": "SSH",
 			"name": "Tims Laptop",
 			"on": "/root/pc.sh ENABLE bb:bb:bb:bb:bb:bb",
 			"off": "/root/pc.sh DISABLE bb:bb:bb:bb:bb:bb",
 			"state": "/root/pc.sh STATE bb:bb:bb:bb:bb:bb",
 			"on_value": "ENABLED",
 			"exact_match": true,
 			"ssh": {
 				"user": "root",
 				"host": "1.1.1.1",
 				"port": 22,
 				"password": "your_root_password"
 			}
 		}
 	]
 }
diff --git a/Instructions.txt b/Instructions.txt
 This is a pretty simple setup:
  Siri is used to control Homebridge using the HomeKit protocol.  
  Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.  
  There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table. 


 1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
 2. Install homebridge and homebridge-ssh.  You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
  sudo -i npm install -g homebridge --unsafe-perm
  sudo -i npm install -g homebridge-ssh --unsafe-perm
  sudo -i npm install -g --unsafe-perm homebridge-config-ui-x
  
 3. Build a shell script (pc.sh below) that will perform 3 functions: 
  enable a mac address (remove it from the firewall)
  disable a mac address (adds it to the firewall)
  checks the status of the mac address (iptables | grep)

 4. Test the shell script before you get too far so you only have to troubleshoot one thing at a time...

 5. Configure homebridge-ssh (config.json below) to call the shell script over SSH. Yeah, this version logs in as root, but its a first pass.
  The next version will be configured for sudo.
  config.json goes in your current users home directory under .homebridge/config.json
   
 6. Start homebridge. My binary was in:
  /opt/nodejs/bin/homebridge.  
  I opted to use the "-I" flag for insecure which allows modifying the accessories from a web UI on :8080. Totally up to you. 
  
 7. Register your new homekit accessory with the "home" app on IOS.
  Just scan the QR code in your current console.
  
 Notes:
  The name of the device is the "name" in config.json.  For the demo video the name was "Internet on Tim's Laptop" only because I wanted
  the grammer to be correct.  Siri will response with "the" infront of the device name.  
  
  When you start homebridge, make sure it says it found devices and loads them. If it doesn't, you have issues with your json.  Syntax 
  issues can be identified with jsonlint.com, but deeper config issues may be harder to troubleshoot. I was missing [] around the 
  accessories field and it drove me crazy for a while. 
    [2018-12-1 02:35:07] Loaded config.json with 4 accessories and 1 platforms.
    [2018-12-1 02:35:08] Loading 1 platforms...
    [2018-12-1 02:35:09] Loading 4 accessories...
 
  I chose to insert the firewall rule at the top of the FORWARD table so it kills all connections instantly.  If you add it to a zone
  specific forward on OpenWrt, the ESTABLISHED,RELATED rule is still in effect so they can continue browsing the same site, watch 
  youtube videos, etc until the TCP session times out.  Either way, figure out where you want it. 
  
  For other parental controls, they're served OpenDNS servers that are a first line of defense at being kid-safe. No content filters or
  anything, just high level DNS blocking. 
    
 Thats pretty much it. Siri talks to homebridge over the homekit protocol, homebridge implements the homebridge-ssh module that calls a 
 shell script on a remote box for enabling and disabling firewall rules.  

   
  
diff --git a/pc.sh b/pc.sh
 #!/bin/ash
 #runs on OpenWrt. YMMV

 STATE=$1
 MAC=$2
 TABLE=FORWARD

 function state {
        iptables -nvL $TABLE | grep -q -i $MAC
        if [ $? -eq 0 ];
        then
          echo DISABLED
        else
          echo ENABLED
        fi
 }

 case $STATE in
 ENABLE)
  IPTCOMMAND=-D
  ;;
 DISABLE)
  IPTCOMMAND=-I
 ;;
 STATE)
  state $MAC
  exit 0
 ;;
 *)
  exit 1
  ;;
 esac

 iptables $IPTCOMMAND $TABLE -m mac --mac-source $MAC ! -d 192.168.254.1/24 -j DROP
	{
	"bridge": {
	"name": "Homebridge",
	"username": "26:DA:2E:73:48:28",
	"port": 45525,
	"pin": "937-19-468"
	},
	"description": "Raspberry Pi Zero",
	"platforms": [{
	"platform": "config",
	"name": "Config",
	"port": 8080,
	"sudo": false
	}],
	"accessories": [{
	"accessory": "SSH",
	"name": "Wifes iPad",
	"on": "/root/pc.sh ENABLE aa:aa:aa:aa:aa:aa",
	"off": "/root/pc.sh DISABLE aa:aa:aa:aa:aa:aa",
	"state": "/root/pc.sh STATE aa:aa:aa:aa:aa:aa",
	"on_value": "ENABLED",
	"exact_match": true,
	"ssh": {
	"user": "root",
	"host": "1.1.1.1",
	"port": 22,
	"password": "your_root_password"
	}
	},
	{
	"accessory": "SSH",
	"name": "Tims Laptop",
	"on": "/root/pc.sh ENABLE bb:bb:bb:bb:bb:bb",
	"off": "/root/pc.sh DISABLE bb:bb:bb:bb:bb:bb",
	"state": "/root/pc.sh STATE bb:bb:bb:bb:bb:bb",
	"on_value": "ENABLED",
	"exact_match": true,
	"ssh": {
	"user": "root",
	"host": "1.1.1.1",
	"port": 22,
	"password": "your_root_password"
	}
	}
	]
	}
	This is a pretty simple setup:
	Siri is used to control Homebridge using the HomeKit protocol.
	Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.
	There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table.


	1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
	2. Install homebridge and homebridge-ssh. You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
	sudo -i npm install -g homebridge --unsafe-perm
	sudo -i npm install -g homebridge-ssh --unsafe-perm
	sudo -i npm install -g --unsafe-perm homebridge-config-ui-x

	3. Build a shell script (pc.sh below) that will perform 3 functions:
	enable a mac address (remove it from the firewall)
	disable a mac address (adds it to the firewall)
	checks the status of the mac address (iptables \| grep)

	4. Test the shell script before you get too far so you only have to troubleshoot one thing at a time...

	5. Configure homebridge-ssh (config.json below) to call the shell script over SSH. Yeah, this version logs in as root, but its a first pass.
	The next version will be configured for sudo.
	config.json goes in your current users home directory under .homebridge/config.json

	6. Start homebridge. My binary was in:
	/opt/nodejs/bin/homebridge.
	I opted to use the "-I" flag for insecure which allows modifying the accessories from a web UI on :8080. Totally up to you.

	7. Register your new homekit accessory with the "home" app on IOS.
	Just scan the QR code in your current console.

	Notes:
	The name of the device is the "name" in config.json. For the demo video the name was "Internet on Tim's Laptop" only because I wanted
	the grammer to be correct. Siri will response with "the" infront of the device name.

	When you start homebridge, make sure it says it found devices and loads them. If it doesn't, you have issues with your json. Syntax
	issues can be identified with jsonlint.com, but deeper config issues may be harder to troubleshoot. I was missing [] around the
	accessories field and it drove me crazy for a while.
	[2018-12-1 02:35:07] Loaded config.json with 4 accessories and 1 platforms.
	[2018-12-1 02:35:08] Loading 1 platforms...
	[2018-12-1 02:35:09] Loading 4 accessories...

	I chose to insert the firewall rule at the top of the FORWARD table so it kills all connections instantly. If you add it to a zone
	specific forward on OpenWrt, the ESTABLISHED,RELATED rule is still in effect so they can continue browsing the same site, watch
	youtube videos, etc until the TCP session times out. Either way, figure out where you want it.

	For other parental controls, they're served OpenDNS servers that are a first line of defense at being kid-safe. No content filters or
	anything, just high level DNS blocking.

	Thats pretty much it. Siri talks to homebridge over the homekit protocol, homebridge implements the homebridge-ssh module that calls a
	shell script on a remote box for enabling and disabling firewall rules.
	#!/bin/ash
	#runs on OpenWrt. YMMV

	STATE=$1
	MAC=$2
	TABLE=FORWARD

	function state {
	iptables -nvL $TABLE \| grep -q -i $MAC
	if [ $? -eq 0 ];
	then
	echo DISABLED
	else
	echo ENABLED
	fi
	}

	case $STATE in
	ENABLE)
	IPTCOMMAND=-D
	;;
	DISABLE)
	IPTCOMMAND=-I
	;;
	STATE)
	state $MAC
	exit 0
	;;
	*)
	exit 1
	;;
	esac

	iptables $IPTCOMMAND $TABLE -m mac --mac-source $MAC ! -d 192.168.254.1/24 -j DROP