Block websites for certain IPs

[wollyka]

Hi
I bought an Asus RT-AC68U and upgraded it to the latest Merlin firmware. I usually set a fixed IPs for all my devices for better control.
On my old E4200, i was able to block certain websites (keyword blocking) for certain IPs only on my local network (not only globally like on Asus) e.g. i block youtube for IPs above 192.168.2.210
Is there a way to do it here? or by using a script
Thanks

 

[Martineau]

Hi
I bought an Asus RT-AC68U and upgraded it to the latest Merlin firmware. I usually set a fixed IPs for all my devices for better control.
On my old E4200, i was able to block certain websites (keyword blocking) for certain IPs only on my local network (not only globally like on Asus) e.g. i block youtube for IPs above 192.168.2.210
Is there a way to do it here? or by using a script
Thanks

I recall there was a discussion thread: How to stop certain I/Ps from accessing Facebook at certain times by using cron to add/remove rules such as:

NOTE: add required rules from nat-start or firewall-start

   iptables -I FORWARD 1 -p tcp --dport 443 -s 192.168.1.0/24 -d www.facebook.com -j DROP

or for a single device..

   iptables -I FORWARD 1 -p tcp --dport 443 -s 192.168.1.xxx -d www.facebook.com -j DROP

Perhaps both HTTP and HTTPS should be blocked?

   iptables -A FORWARD -p tcp --match multiport --dports 80,443 -s 192.168.1.xxx -d www.facebook.com -j DROP

Clearly for sites such as Facebook, there are multiple I/P addresses associated with DNS entry www.facebook.com, so it may take a little detective work in order to identify ALL I/P addresses to be blocked.

NOTE: I believe that there is probably a more reliable method by using dsnmasq to complement/replace the need for multiple iptables rules.

P.S. All of the above was useful in previous firmwares and may now be rendered obsolete with current firmwares.


Regards,

 

[wollyka]

Hi
Thanks so if i want to block access to youtube for any local device with IP>192.168.2.210, my script should be like this: ?

 iptables -A FORWARD -p tcp --match multiport --dports 80,443 -s 192.168.2.211/24 -d www.youtube.com -j DROP

or like this?

 iptables -A FORWARD -p tcp --match multiport --dports 80,443 -m iprange --src-range 192.168.2.211-192.168.2.254 -d www.youtube.com -j DROP

I am not too familiar with iptables syntax!

 

[Martineau]

Hi
Thanks so if i want to block access to youtube for any local device with IP>192.168.2.210, my script should be like this: ?

 iptables -A FORWARD -p tcp --match multiport --dports 80,443 -s 192.168.2.211/24 -d www.youtube.com -j DROP

Whilst the rule will seem to work (you can check the iptables rule to see how many hits occurred) it is bad form to create a rule with a URL as this won't resolve nor prevent ALL access.

So you would need a script something like this

SUBNET="192.168.1.0/24"

CIDR1="173.252.64.0/18"
CIDR2="31.13.72.0/18"
#CIDR3="31.13.81.97"



if [ "$1" = "DENY" ];then

   iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR1 -j DROP
   iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR2 -j DROP
   #iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR3 -j DROP

where you identify ALL of the youtube I/P addresses and can easily add more rules

NOTE: The code snippet above uses 'Facebook' addresses to block.

 

[wollyka]

Ok thanks for the code
but if i don't want to block access for all the subnet but only only for a range of IPs, how do i do that?