Blocking IP Range

[RMerlin]

First thing: INPUT and OUTPUT tables are for traffic coming to and from the router. In this case, you want to control traffic that passes through the router. So, the correct table to manipulate is the FORWARD table.

Therefore:

iptables -I FORWARD -d ad-g.doubleclick.net -j REJECT

is what you want if your goal is to prevent connecting to these servers.

This isn't a very efficient or reliable way to implement ad blocking however. The more rules you add, the highest impact it will have on your network, since every packet must be checked against every rule in the table. This is where ipset will provide a far more efficient method of implementing blacklisting.

Writing a script that would download a blocklist and generate a proper ipset list would be the ideal. Unfortunately, many blocklists seem to ship in a p2p format, and they require you to pay to get these lists in a more compatible format (cidr format, for example)...

 

[AnthonyArmato]

Thanks. That does work.

How would the blocklist need to be written ? If I had a list of domains could I create one myself ?

 

[RMerlin]

Thanks. That does work.

How would the blocklist need to be written ? If I had a list of domains could I create one myself ?

IP ranges have to be in a CIDR format to be easily pluggable into an ipset list. For example, to block 192.168.1.1 through 192.168.1.254, it would have to be entered as 192.168.1.0/24.

 

[sammyano]

If you want to take it one step forward, the following will force all DNS queries to go through your router (which will in turn go through OpenDNS). That way, a misconfigured client will still have Internet access, just that it will be forced to to through your configured DNS.

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

Repeat the same for TCP if you wish. I haven't tested it myself, this is just based on Tomato code that I looked at a few weeks ago.

Cleaner than just dropping connection to other DNS servers.

Hello RMerlin,
Is the below code supposed to modify the '--to-destination' with Opendns IP or just matter of using as is -
#!/bin/sh
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -I PREROUTING -t nat -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

 

[RMerlin]

Hello RMerlin,
Is the below code supposed to modify the '--to-destination' with Opendns IP or just matter of using as is -
#!/bin/sh
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -I PREROUTING -t nat -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

That code is obsolete now. Use the built-in DNSFilter instead, you will be able to configure everything through the web interface - much simpler.