What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Help with URL Filter

D

daramullally

New Around Here
Hi

I am trying to setup URL Filtering in the Firewall tab (to block Amazon Fire TV firmware updates). I have enabled URL Filter and add the following in the URL filter list:

amzdigitaldownloads (to block http://amzdigitaldownloads.edgesuite.net)
softwareupdates (to block https://www.amazon.com/?tag=snbforums-20)
boards (just testing blocking - www.boards.ie)

But when I go to www.boards.ie as an example it loads the page. I have tried resetting to factory settings and setting up again but still it doesn't seem to block anything.

I am using Merlin build 376.47 on Asus N66U. As a workaround would using dnsmasq work as mentioned in this thread: http://forums.smallnetbuilder.com/showthread.php?t=12736&highlight=URL+filter

Any help would be greatly appreciated. Please note that I am a relative newbie on here.
 
daramullally said:
Hi

I am trying to setup URL Filtering in the Firewall tab (to block Amazon Fire TV firmware updates). I have enabled URL Filter and add the following in the URL filter list:

amzdigitaldownloads (to block http://amzdigitaldownloads.edgesuite.net)
softwareupdates (to block https://www.amazon.com/?tag=snbforums-20)
boards (just testing blocking - www.boards.ie)

But when I go to www.boards.ie as an example it loads the page. I have tried resetting to factory settings and setting up again but still it doesn't seem to block anything.

I am using Merlin build 376.47 on Asus N66U. As a workaround would using dnsmasq work as mentioned in this thread: http://forums.smallnetbuilder.com/showthread.php?t=12736&highlight=URL+filter

Any help would be greatly appreciated. Please note that I am a relative newbie on here.
Click to expand...

I posted a script that I used to test creation of manual URL/KEYWORD filters

Code: 
http://forums.smallnetbuilder.com/showpost.php?p=146582&postcount=6http://

So invoke the script

Code: 
   ./URLString_match www.boards.ie -url

then open www.boards.ie and then issue:

Code: 
   ./URLString_match ?

and you should see that there is one packet matched against the filter:



Code: 
admin@RT-AC56U:/jffs/scripts# ./URLString_Match.sh ?
(URLString_Match.sh) 17758 Martineau URL and Keyword matching.... [?]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1   335            all  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url www.boards.ie
2    1483K 1574M ipttolan   all  --  *      br0     0.0.0.0/0            0.0.0.0/0

so replace the tracking rule with a reject rule


Code: 
   ./URLString_match www.boards.ie -d
./URString_match www.boards.ie reject -url


and now try to access www.boards.ie

hopefully you will be rejected! and can confirm the matching reject rule


Code: 
   ./URLString_match  ?


Code: 
admin@RT-AC56U:/jffs/scripts# ./URLString_Match.sh ?
(URLString_Match.sh) 17861 Martineau URL and Keyword matching.... [?]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1   454 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url www.boards.ie  reject-with tcp-reset
2    1483K 1574M ipttolan   all  --  *      br0     0.0.0.0/0            0.0.0.0/0


I set all my filters manually, although in the GUI I have enabled all three filters but have no entries in any of the tables.

I'm not sure if the GUI setting enables the correct loading of the kernel iptables filter modules - probably not?

If the manaul rules work, then you can add the same URL filter rule via the GUI, and be able to compare the rules - to ensure that they are identical.

Regards,
 
Last edited:
Hi

Thanks for your help with this. I have tried the above but I can still access www.boards.ie.

Here is the output from ./URLString_match ?

Code: 
admin@RT-N66U-A5A8:/jffs/scripts# ./urlstring_match ?
(urlstring_match) 1313 Martineau URL and Keyword matching.... [?]
Checking filter request ARGs
Flushing existing filter(s) for URL/Keyword ?
Inserting filter(s) for URL/Keyword ? for using
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url www.boards.ie reject-with tcp-reset
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 TIME on all days STRING match "boards" ALGO name bm TO 65535 reject-with tcp-reset
3        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 12:0 to 14:0 on Sat MAC AC:22:0B:69:32:32
4        5   280 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 18:0 to 21:0 on Sat MAC AC:22:0B:69:32:32
5        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC AC:22:0B:69:32:32
6        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 12:0 to 14:0 on Sat MAC 28:37:37:C9:DA:FD
7        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 18:0 to 20:0 on Sat MAC 28:37:37:C9:DA:FD
8        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC 28:37:37:C9:DA:FD
9     2185  119K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
10       0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
11       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
12       0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
13       0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
14       1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
15     652 44120 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

My output seems a lot longer than your example.

Thanks
Dara
 
Try disabling NAT acceleration. 376.47 has a bug where the traffic doesn't get properly marked, so it doesn't bypass CTF as it should.
 
daramullally said:
Hi

Thanks for your help with this. I have tried the above but I can still access www.boards.ie.

Here is the output from ./URLString_match ?

Code: 
admin@RT-N66U-A5A8:/jffs/scripts# ./urlstring_match ?
(urlstring_match) 1313 Martineau URL and Keyword matching.... [?]
Checking filter request ARGs
Flushing existing filter(s) for URL/Keyword ?
Inserting filter(s) for URL/Keyword ? for using
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url www.boards.ie reject-with tcp-reset
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 TIME on all days STRING match "boards" ALGO name bm TO 65535 reject-with tcp-reset
3        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 12:0 to 14:0 on Sat MAC AC:22:0B:69:32:32
4        5   280 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 18:0 to 21:0 on Sat MAC AC:22:0B:69:32:32
5        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC AC:22:0B:69:32:32
6        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 12:0 to 14:0 on Sat MAC 28:37:37:C9:DA:FD
7        0     0 PControls  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           TIME from 18:0 to 20:0 on Sat MAC 28:37:37:C9:DA:FD
8        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC 28:37:37:C9:DA:FD
9     2185  119K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
10       0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
11       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
12       0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
13       0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
14       1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
15     652 44120 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

My output seems a lot longer than your example.

Thanks
Dara
Click to expand...

I deliberately truncated the iptables rule list output in my post for the sake of brevity (no point showing lengthy iptables rules that are irrelevant!)

I originally wrote the script to overcome the limitations of the GUI, and my script quickly allows tracking rules to be instantly applied without the overhead where the GUI apparently restarts services.

If you add the following tracking rules, does it show any hits either URL or STRING?

Code: 
 ./urlstring_match . -str
 ./urlstring_match . -url

as clearly most URLs contains the '.' character (even if someone sneakily tried to avoid the URL filter by specifying the actual IP address!)

As I said, I recall that way back I was not happy with the GUI, so I don't think the iptables modules are not made availble by the kernel if you haven't explicitly enabled all 3 filter options but I always do this and reboot.

All I can suggest is that you too also enable all three filters and reboot

Code: 
iptables  -m webstr  -help


EDIT: Just seen this post regarding Parental control:

http://forums.smallnetbuilder.com/showpost.php?p=147952&postcount=25

and this may unfortunately also impact the URL/KEYWORD filtering?..although I suspect this would only be true for GUI applied filters, since my script adds the tracking rules before the jump to the PC iptable chain table.
 
Last edited:
It seems to be working now after disabling parental controls and rebooting. I already had enabled the 3 filters. Many thanks Martineau and RMerlin.

I have noticed that web browsing seems a bit slower now. I will investigate further in the morning.

Thanks
Dara
 
You must log in or register to reply here.

Similar threads

TanyaC
cannot add domain to router URL filter
Replies
15
Views
2K
TanyaC
TanyaC
T
Weird issue while applying firewall URL filter with my RT-AC86u router!
Replies
3
Views
429
Tech9
Tech9
C
Merlin .388 beta 2 URL Filter
Replies
2
Views
2K
cc666
C
W
MoCA POE filter with AT&T twisted pair drop
Replies
4
Views
1K
degrub
D
GovtCheese
MoCA POE Filter Goes Where in Picture?
Replies
3
Views
3K
degrub
D
Similar threads
Thread starter Title Forum Replies Date
CaptnDanLKW Router to Router Routing help Asuswrt-Merlin 11
el_pedr0 Please help me diagnose knotty routing problem Asuswrt-Merlin 4
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
staralfur12 Need help with Namecheap -> Router -> Caddy Asuswrt-Merlin 10
P Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log. Asuswrt-Merlin 5
V Asus RT-AX3000 Help Asuswrt-Merlin 5
StrikerXXX Need help configuring NextDNS Asuswrt-Merlin 21
L ASUS RT-AX5400 Help Asuswrt-Merlin 1
Sunny786 Help Needed: Configuring OpenVPN Server and Instant Guard on Asus GT-AX11000 with Technicolor CobraXh Modem Router Asuswrt-Merlin 11
J Help/advice needed for accessing GT-AX11000 SMB shares from WSL Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 402 (members: 6, guests: 396)
Back
Top