Can I block all internet access except for one site?

[eastavin]

I have been asked if I can block internet access for only ONE client of many but allow it to access one or two specific URLs any time. Having looked through the menus on the firmware here I dont see how the exception could be made possible. This device would be on a wired connection only. All Lan to Lan traffic continues to be allowed. Am running 384.5 on rt-ac68u. Any suggestions appreciated!

 

[coxhaus]

The way you would do this on a Cisco device is with ACLs. You would deny all internet traffic. You need to resolve the IPs for the URLs. Then setup an ACL to allow the URL's IPs. His access needs to be defined to an IP address which can be denied maybe using DHCP. This will not stop outside cell access just the local network.

 

[ColinTaylor]

There isn't really a way of doing that in the GUI. Network Services Filter and Parental Control come close but aren't versatile enough to allow exceptions for specific URL's. You might be able to do it with custom scripts if the destination IP addresses never change.

 

[Martineau]

I have been asked if I can block internet access for only ONE client of many but allow it to access one or two specific URLs any time.

Old-skool:

iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-my-WAN-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -d www.1stURLOK.com -j ACCEPT -m comment --comment Allow-my-URL-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -d www.2ndURLOK.com -j ACCEPT -m comment --comment Allow-my-URL-ACCESS
etc.

The GUI 'URL Filter' tab attempts to use the fact that without DNS working, then the URL will be unavailable, except of course there is nothing to stop the user entering the nslookup IP address directly into the web browser!

So you will need to store all of the URLs IP addresses in an IPSET, then only two rules are required:

iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-my-WAN-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -m set -m set --match-set Allowed_URL dst -j ACCEPT -m comment --comment Allow-my-URL-WAN-ACCESS

You can (in most cases) extract the IPs for a URL domain either manually from the nslookup command or let dnsmasq automatically populate the IPSET by adding the appropriate URLs to the 'IPSET=' directive in dnsmasq.conf.add

NOTE: https://URLs may not be blocked etc. as per the caveats listed on the GUI URL filter page.

Spoiler: Crude script showing non-IPSET rules and why it can/does fail!

#!/bin/sh
VER="vDemo"
#======================================================================================== © 2018 Martineau, vDemo

Get_FirmwareVersion() {
    # Assume VVV.nn such as 380.68 but ensure 382.1 is returned as 38201
    local FIRMWARE=$(echo $(nvram get buildno) | awk 'BEGIN { FS = "." } {printf("%03d%02d",$1,$2)}')
    echo $FIRMWARE
}
ANSIColours () {
    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    cRED_="\e[41m";cGRE_="\e[42m"
}
CHAIN_exists() {
    # Args: {FCHAIN_name} [table_name]
    local FCHAIN="$1"
    shift
    [ $# -eq 1 ] && local TABLE="-t $1"
    iptables $TABLE -n -L $FCHAIN >/dev/null 2>&1
    local RC=$?
    if [ $RC -eq 1 ];then
        echo "N"
        return 1
    else
        echo "Y"
        return 0
    fi
}
Firewall(){
    iptables $@ 2>/dev/null         # Suppress error messages
    local FIREWALL_ERROR=$?
    if [ "$FIREWALL_ERROR" -gt 0 ];then             # Report error for "-I" insert and '-A' append actions
        if [ "$1" == "-I" ] || [ "$1" == "-A" ];then
            # Hack using I/O to file!
            iptables $@ 2>/tmp/iptables.error$$; echo -e $cBRED"\t" $(grep "" -m1 /tmp/iptables.error$$);rm /tmp/iptables.error$$       # Hack using I/O to file!
            echo -e "\t\t==> $@"
            return 1
        fi
    fi
    return 0
}

#======================================Main============================================

ANSIColours
FIRMWARE=$(Get_FirmwareVersion)

modprobe xt_comment

RESTRICT_LIST="10.88.8.114"                             # <<=== LAN IPs to be restricted to certain URLs
DOMAIN_LIST="google msn ibm"                            # <<=== Restricted 'keyword'/domains (assumed www.xxx.com)

FCHAIN="myURL"
ICHAIN="myDNS"
VERBOSE=
if [ ! -z "$(echo $@ | grep -ow "status")" ];then
    VERBOSE="n"
fi

for IP in $RESTRICT_LIST
    do
        case $1 in
            off)
                ACTION="-D";;
            on)
                ACTION="-I"
                if [ "$(CHAIN_exists "$FCHAIN")" == "N" ];then
                    iptables -N $FCHAIN
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-WAN-ACCESS
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j REJECT --reject-with tcp-reset  -p tcp -m comment --comment Block-WAN-ACCESS-TCP
                else
                    iptables -F $FCHAIN  2> /dev/null
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-WAN-ACCESS
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j REJECT --reject-with tcp-reset  -p tcp -m comment --comment Block-WAN-ACCESS-TCP
                fi
                if [ "$(CHAIN_exists "$ICHAIN")" == "N" ];then
                    iptables -N $ICHAIN
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -j DROP -m comment --comment Block-DNS-ACCESS
                else
                    iptables -F $ICHAIN  2> /dev/null
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -j DROP -m comment --comment Block-DNS-ACCESS
                fi
                ;;
            *)
            echo -e $cBMAG
            iptables -"${VERBOSE}"vL INPUT   --line -t filter | grep -E "Chain INPUT|^num|\/"
            echo -e
            iptables -"${VERBOSE}"vL FORWARD --line -t filter | grep -E "Chain FORWARD|^num|\/"
            echo -e
            iptables -"${VERBOSE}"vL $ICHAIN --line -t filter 2>/dev/null
            echo -e
            iptables -"${VERBOSE}"vL $FCHAIN --line -t filter 2>/dev/null
            echo -e $cRESET
            exit 0
            ;;
        esac

        Firewall $ACTION INPUT -i br0 -s $IP -p udp -m udp --dport 53 -j $ICHAIN -m comment --comment DNS-filtering
        Firewall $ACTION FORWARD -i br0 -s $IP -o $(nvram get wan0_ifname) -j $FCHAIN -m comment --comment URL-filtering

        # For the custom chains, simply wipe them if it's a 'off' (delete) request
        if [ "$ACTION" == "-I" ];then
            for STRING in $DOMAIN_LIST
                do
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j ACCEPT -m comment --comment $STRING
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m webstr  --content "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment $STRING
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m webstr  --content "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    LEN=${#STRING}
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m string --hex-string "\|03\|www\|$LEN\|$STRING\|03\|com" --algo bm --to 65535 -j LOG
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -d www.${STRING}.com -j ACCEPT -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname)  -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                    Firewall $ACTION $FCHAIN -i br0        -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname)  -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                done
        else
            if [ "$(CHAIN_exists "$ICHAIN")" == "Y" ] || [ "$(CHAIN_exists "$FCHAIN")" == "Y" ];then
                iptables -F $ICHAIN 2>/dev/null
                iptables -X $ICHAIN 2>/dev/null
                iptables -F $FCHAIN 2>/dev/null
                iptables -X $FCHAIN 2>/dev/null
            fi
        fi
    done

# Status....
if [ "$1" != "on" ];then
    echo -e $cBMAG
else
    echo -e $cBGRE
fi
iptables -${VERBOSE}vL INPUT   --line -t filter | grep -E "Chain INPUT|\$FCHAIN|^num|\/"
echo -e
iptables -${VERBOSE}vL FORWARD --line -t filter | grep -E "Chain FORWARD|$FCHAIN\/|^num|\/"
if [ "$1" == "off" ];then
    echo -en $cRED                  # Just in case the custom tables haven't been deleted correctly
else
    echo -en $cBGRE
fi
iptables -${VERBOSE}vL $ICHAIN --line -t filter 2>/dev/null
echo -e
iptables -${VERBOSE}vL $FCHAIN --line -t filter 2>/dev/null
echo -e $cRESET


exit 0

Sadly you may need to deploy a proxy to meet your requirements

 

[eastavin]

Old-skool: ...

Wow. Thank you so much for thinking about this. I will look it over. My first feeling is the old skool idea should work ok here