Block most websites for some PCs???

[Milkman]

Here is what I want.

I have 5 PCs that I want to have complete unrestricted access to the internet (white listed)
I have 5 PCs that I want to have no access to the internet except for about 10 different sites (and I want them to have LAN access).

Is there anyway to do this with the Merlin build??? DD-WRT seems to support it via script commands, but I can't get them to work right.

 

[PrivateJoker]

Here is what I want.

I have 5 PCs that I want to have complete unrestricted access to the internet (white listed)
I have 5 PCs that I want to have no access to the internet except for about 10 different sites (and I want them to have LAN access).

Is there anyway to do this with the Merlin build??? DD-WRT seems to support it via script commands, but I can't get them to work right.

This method would come close: Have your router set to use openDNS, use DNSomatic setup in the Asus admin to update DNSomatic. Configure openDNS from their website to block the categories of websites (you can block a good chunk of the net using their predefined categories) you don't want, and you can specify an addl 20 or so individual domains you want to block, if needed.

Then on the 5 whitelist machines, in their local machine IP config, manually set to another DNS (like google's 8.8.8.8) instead of picking it up from your router.

Another way would be to make a hosts file on the local machines to do your blocking.

I'm sure others more knowledgable might be able to suggest methods that come closer to your goal of limiting down to X websites for your restricted machines though.

HTH

 

[coxhaus]

I guess there is still an unanswered question. Are trying to keep the machines from connecting to other sites or are you trying to keep the people from connecting to other sites?

 

[Milkman]

I guess there is still an unanswered question. Are trying to keep the machines from connecting to other sites or are you trying to keep the people from connecting to other sites?

Trying to prevent people from accessing any sites except mission critical things.

 

[CaptainSTX]

Blocking

If the individuals that you want to block/limit access to Internet sites have administrative privileges on their machines then most schemes to block sites can easily be by passed by manually assigning another IP and or MAC address to their machine.

IMHO opinion the best approach is to set up two separate networks using two separate routers. Each network then would have absolute rules for all users on allowed and blocked sites then spoofing IPs and MAC addresses won't bypass the rules.

If you decide to go this route you will have to set up rules to allow sharing of network resources between the two separate networks. You can research what is needed to do this by searching this forum.

 

[Milkman]

So I could do that, but I gotta say, I don't like it.

Let me ask you this, if I was to do it your way, where can I find the information on configuring the router running Merlin's software to block everyone on that network from being able to access anything but 5 or 10 sites?

 

[vdemarco]

So I could do that, but I gotta say, I don't like it.

Let me ask you this, if I was to do it your way, where can I find the information on configuring the router running Merlin's software to block everyone on that network from being able to access anything but 5 or 10 sites?

Yeah make a bunch of iptables rules that only allow outgoing connections to certain websites.

Should be pretty easy to do.

 

[Milkman]

Yeah make a bunch of iptables rules that only allow outgoing connections to certain websites.

Should be pretty easy to do.

Should be easy if I understood IPTables better. I tried this but it didn't seem to work. I have this setup under DD-WRT, but would much rather use Merlin. That said:

• Is there a way to do this under Merlin's code?
• If so how?
• Also, can you help me with the code?

Here is the code I have that didn't seem to work:

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine MAC 
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT 

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP) 
iptables -I wanout -d www.google.com -j ACCEPT 
iptables -I wanout -d www.yahoo.com -j ACCEPT 
iptables -I wanout -d www.dd-wrt.com -j ACCEPT 

# Everything else gets blocked 
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

 

[Milkman]

Bumping this since I am desperate.

 

[PrivateJoker]

Bumping this since I am desperate.

It's kind of a difficult setup you're proposing, especially out of consumer hardware and relying on others to write code/scripts for you.

Also whitelisting is very difficult, pick a site you want to white list and go to it and check your router's active connections (or view page source in the browser), the average page might draw content, cookies, and other element from 10-20 sites (cnet.com, for example, uses 15-20 different sites on its homepage, some of which can be blocked and it'll still work, some cannot).

You haven't explained the exact context of where these PCs are and who's using them, but sometimes doing something as simple as making user accounts on the computer w/ passwords at login & screensaver can be enough to have a user change their behavior because they believe their activity is being logged/monitored more strictly.

Also computer usage habits in the workplace tend to anecdotally be correlated to things like paying people based on output and not hourly or installing a surveillance camera (working or not).

Just throwing some stuff out there since you seem to have your heart set on having an easy switch to flip in a firmware, but it's probably not.

Like I mentioned up above openDNS & perhaps some local user policies could get you quite close, is free, and would be way easier to maintain than having to adjust IPtables when suddenly a new site needs to be added or an old one breaks, and you could have it running in less than an hour.

Not saying it's the best solution, but there may not be a perfect one out there.

 

[Milkman]

It's kind of a difficult setup you're proposing, especially out of consumer hardware and relying on others to write code/scripts for you.

Also whitelisting is very difficult, pick a site you want to white list and go to it and check your router's active connections (or view page source in the browser), the average page might draw content, cookies, and other element from 10-20 sites (cnet.com, for example, uses 15-20 different sites on its homepage, some of which can be blocked and it'll still work, some cannot).

You haven't explained the exact context of where these PCs are and who's using them, but sometimes doing something as simple as making user accounts on the computer w/ passwords at login & screensaver can be enough to have a user change their behavior because they believe their activity is being logged/monitored more strictly.

Also computer usage habits in the workplace tend to anecdotally be correlated to things like paying people based on output and not hourly or installing a surveillance camera (working or not).

Just throwing some stuff out there since you seem to have your heart set on having an easy switch to flip in a firmware, but it's probably not.

Like I mentioned up above openDNS & perhaps some local user policies could get you quite close, is free, and would be way easier to maintain than having to adjust IPtables when suddenly a new site needs to be added or an old one breaks, and you could have it running in less than an hour.

Not saying it's the best solution, but there may not be a perfect one out there.

I totally know that it isn't going to be a simple switch. As you can see, I proposed some IPTables that I tried in DD-WRT and it didn't work. I am definitely aware that this is going to be harder than flipping a switch, but I am just looking for someone to give me a good start (like with the IPTables), and then I can take it from there.

I am also aware of the content from external websites to the ones that I will be authorizing and I will be adding those as exceptions once I can establish the base rules.

Unfortunately the OpenDNS idea wouldn't solve all of the problems that my customer is having.

 

[PrivateJoker]

Have you looked at appliances like Sophos UTM, Untangle, Smoothwall, etc? I've superficially scanned the feature list on them and they seem to be geared towards finer control over firewall/access.

 

[Milkman]

Thanks for your help... Unfortunately the customer has a timeline and those solutions won't meet it.

I am positive I can do it with this equipment, just need help with the IPTables. Will try other avenues.

Again, thanks for the help.

 

[RMerlin]

The sane way to do something like what you are looking for would be by using a web proxy on your LAN. Something like Squid might do, but be prepared for a good amount of researching. Plus you might need a computer dedicated to running Squid, for performance reasons.

Those home routers aren't designed for that kind of network control, not in any simple and manageable way.

 

[PrivateJoker]

Sorry I was unable to come up with a feasible solution, I'm sure you'll figure it out though, and when you do please share back with group. I'd love to learn what you discover.

Good luck!

 

[KAD]

just an idea,

what about vlan's

vlan's are not easy set up under this firmware
but
create a vlan with full internet access, which your 5 whitelist pc's will access
create separate vlan with LAN access only

the problem is I dont' know how to only let that vlan have internet access for specific sites

 

[Milkman]

just an idea,

what about vlan's

vlan's are not easy set up under this firmware
but
create a vlan with full internet access, which your 5 whitelist pc's will access
create separate vlan with LAN access only

the problem is I dont' know how to only let that vlan have internet access for specific sites

I had a similar idea, and had the similar problem. lol

 

[Milkman]

I want to post my final DD-WRT settings for anyone that may read this thread later.

Since MAC based rules don't seem to work on this code DD-WRT v24-sp2 (05/27/13) mini (SVN revision 21676), I had to use IP based exceptions in order to make work the way I want. So that said, I added the machines that I wanted to exempt to have static DHCP assigned IP addresses.

Here is the code that I used:

# IP Tables White Listing script by phuzi0n -Tek @ [url=http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588]DD-WRT Forum :: View topic - White List[/url]
# Version 1.1 for older chipsets and/or experimental firmware builds. Please freeze this version. GeeTek.
# URL for this Wiki Page [url=http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing]Blocking URLs/IPs - DD-WRT Wiki[/url]

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine IP
#iptables -I wanout -s 192.168.1.2 -j ACCEPT

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
iptables -I wanout -d site1allowed.com -j ACCEPT
iptables -I wanout -d site2allowed.com -j ACCEPT
iptables -I wanout -d site3allowed.com -j ACCEPT 
iptables -I wanout -d site4allowed.com -j ACCEPT 

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable