White List

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author Message
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Sat Aug 15, 2009 21:51    Post subject: White List Reply with quote
I just had another customer request for a functional white list. I found some IPtables firewall rules from another website that looked like they should work. I have applied these commands to my firewall script and re-booted, but all websites remain available with no restriction.

My test setup - WHR-G54S - Brainslayer Micro Generic 8-13-09.

Firewall script...

# Allow everyone access to these sites
iptables -A wanout -i `nvram get lan_ifname` -d www.google.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -d www.yahoo.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -d www.dd-wrt.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -j DROP
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Aug 16, 2009 3:35    Post subject: Reply with quote
Did you create the wanout chain? Another thing to note is that many sites use DNS load balancing but the iptables rule will only allow one of the site's IP addresses, whichever is returned by DNS when the rule is created. Another way to do it would be to block all DNS and set the resolutions manually with dnsmasq options or the hosts file.

# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Allow everyone access to these sites
iptables -I wanout -d www.google.com -j ACCEPT
iptables -I wanout -d www.yahoo.com -j ACCEPT
iptables -I wanout -d www.dd-wrt.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -j DROP

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
TechNick
DD-WRT Novice


Joined: 16 Aug 2009
Posts: 7

PostPosted: Sun Aug 16, 2009 6:19    Post subject: Reply with quote
Can this sort of thing be done for a specific MAC?

Of the 8 computers in my home ... I have 1 that I want to deny access to the Internet, but still allow it to get to certain sites (to allow anti-virus to auto-update, get other updates, blah blah) and also still have full access to the other computers in my home.

Can that be done?
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Aug 16, 2009 17:21    Post subject: Reply with quote
Yes Technick, it can be done for a specific MAC address or it can be done for specific IP addresses. It will just require using different options.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Sun Aug 16, 2009 18:54    Post subject: Reply with quote
phuzi0n wrote:

# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

Thanks phuzi0n ! That was the missing majick. The script now has basic functionality, but as you said, there is a problem with sites that use multiple addresses. For my application this may not be a problem, since it works fine on basic websites. I'll need to get a list of sites from my customer to see what they are going to be using. I don't think this will be a problem since general web-browsing is what the management wants to restrict.

Here is what is working for me now (comment lines removed)...

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
iptables -I wanout -d www.google.com -j ACCEPT
iptables -I wanout -d www.yahoo.com -j ACCEPT
iptables -I wanout -d www.dd-wrt.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -j DROP


TechNick wrote:
Can this sort of thing be done for a specific MAC?

Of the 8 computers in my home ... I have 1 that I want to deny access to the Internet...


The original script that I was working with had rules that were supposed to exempt specific MAC addresses from the filtering. That original script set did not work at all, nor was I able to successfully incorporate the exemption MAC rules into the new rule set. Here is what I had started with that was non-functional...

# Allow these hosts unrestricted access
iptables -A wanout -i `nvram get lan_ifname` -m mac --mac-source <allowed MAC #1> -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -m mac --mac-source <allowed MAC #2> -j ACCEPT

# Allow everyone access to these sites
iptables -A wanout -i `nvram get lan_ifname` -d www.abcd.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -d www.dcba.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -j DROP
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Aug 16, 2009 19:02    Post subject: Reply with quote
insmod ipt_mac

iptables -I wanout -m mac --mac-source <allowed MAC #1> -j ACCEPT

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Sun Aug 16, 2009 19:19    Post subject: Reply with quote
phuzi0n wrote:
insmod ipt_mac

iptables -I wanout -m mac --mac-source <allowed MAC #1> -j ACCEPT

Success ! Thanks again. I did not know if "insmod ipt_mac" was a comand to include. I tried it without, and it works great. There are no "chicken lips" around the MAC address.

My Desktop PC is un-restricted, laptop is restricted. This is working...

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT
iptables -I wanout -d www.google.com -j ACCEPT
iptables -I wanout -d www.yahoo.com -j ACCEPT
iptables -I wanout -d www.dd-wrt.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -j DROP
TechNick
DD-WRT Novice


Joined: 16 Aug 2009
Posts: 7

PostPosted: Sun Aug 16, 2009 23:53    Post subject: Reply with quote
Nice. Smile

Since that method requires the unrestricted units to be specified, can it be tweaked to do the reverse? (restricted units are specified, all others are unrestricted) If so would that look similar to this (using same site list as an example)?

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
iptables -I wanout -d www.google.com -j ACCEPT
iptables -I wanout -d www.yahoo.com -j ACCEPT
iptables -I wanout -d www.dd-wrt.com -j ACCEPT
iptables -I wanout -m mac --mac-source 00:08:02:35:97:5F -j DROP

I am frequently working on other people's pos systems (usually de-worming and pulling neglected updates ... they pay me to do this) and I really don't want to be updating my scripts each time I connect a previously unknown system, so only having to specify the ones to restrict is desirable.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 17, 2009 0:08    Post subject: Reply with quote
Yeah those rules look fine.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
TechNick
DD-WRT Novice


Joined: 16 Aug 2009
Posts: 7

PostPosted: Mon Aug 17, 2009 1:04    Post subject: Reply with quote
Dang. Just tried that and for the machine it's set to DROP ... it dropped everything (no connect to the allowed sites at all). Hmmm...
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 17, 2009 3:38    Post subject: Reply with quote
Change that rule to -A not -I
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
TechNick
DD-WRT Novice


Joined: 16 Aug 2009
Posts: 7

PostPosted: Mon Aug 17, 2009 4:30    Post subject: Reply with quote
Excellant! That works! (me happy) Cool

Next question ... can wildcards be used in the allowed site specifications?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 17, 2009 5:37    Post subject: Reply with quote
No, see my first reply to this thread. The domain name you enter gets resolved to an IP address one time when the rule is created.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
TechNick
DD-WRT Novice


Joined: 16 Aug 2009
Posts: 7

PostPosted: Mon Aug 17, 2009 6:42    Post subject: Reply with quote
OK, I see that now. Thanks.

After digging around with my anti-virus, I've pinned down several common IPs used by their update servers and the following is working well (for now) and keeps the one system off the Internet but gets the anti-virus updates.

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
iptables -I wanout -d 62.146.66.178 -j ACCEPT
iptables -I wanout -d 62.146.66.179 -j ACCEPT
iptables -I wanout -d 62.146.66.183 -j ACCEPT
iptables -I wanout -d 62.146.66.184 -j ACCEPT
iptables -I wanout -d 62.146.66.189 -j ACCEPT
iptables -I wanout -d 80.190.143.227 -j ACCEPT
iptables -I wanout -d 80.190.143.231 -j ACCEPT
iptables -I wanout -d 80.190.143.236 -j ACCEPT
iptables -I wanout -d 80.190.143.239 -j ACCEPT
iptables -I wanout -d 80.190.143.230 -j ACCEPT
iptables -A wanout -m mac --mac-source 00:08:02:35:97:5F -j DROP

Yeah, I kept the "wanout" variable name. Couldn't think of anything better for now.
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Thu Aug 20, 2009 19:18    Post subject: Reply with quote
Another problem that I hope we can solve. Many sites that have external links do not finish loading. The DD-WRT site only loads the blue header and then stops. Is this because the web server is waiting for an ACK before sending the rest of the page ?

I have a D-Link with white listing. With it the pages completely load, but with the external content stripped out.
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9  Next Display posts from previous:    Page 1 of 9
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum