Is there any way to block certain URLs for certain MAC addresses? (YES - solved)

[Scobie]

I just got a new Asus router and I installed Merlin and Diversion and so far it's looking amazing, big props to the developers.

Anyway, stock Asus only has firewall blocking for every device, and parental controls blocks too many sites.
How do I block URLs for certain MAC addresses? In practice I wanna URL block youtube and twitch on my phone.

- EDIT - SOLUTION:
Log in to your router via SSH and type the following commands,
replacing youtube with the site you wanna block, de:ad:de:ad:de:ad with your MAC address and possibly 192.168.1.1 if your router uses a different IP.

iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP

Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.

 

[Linux_Chemist]

Others might suggest a solution using builtin stuff, however I know how I would tackle this problem. See what you think

First up, the device in question (your phone) needs to get a specific IP address on the LAN. It can't be a randomly assigned one via DHCP from the router. You'll need to go to the LAN/DHCP manual assignment settings and make sure your device (given by its MAC address) is assigned one specific address. e.g. 192.168.1.10. When it's set to be this, disconnect and reconnect to your local SSID/Network and make sure it's got this number.

Next, you'll need to make use of whatever DNS server you have running on the router, whether this is unbound or dnsmasq or otherwise.

If it's unbound, you'll want these entries in a blocklist

local-zone: "youtube.com" always_nxdomain
local-zone: "twitch.tv" always_nxdomain

If it's dnsmasq, you'll want these entries in a blocklist/hosts file:

0.0.0.0 youtube.com
0.0.0.0 twitch.tv

And so what I would do is: have every device on your network (pcs, laptops, tablets and so on) all use a fast public DNS server (1.1.1.1 or 8.8.8.8 etc), OR their own instance of unbound for example, and make your phone's DNS connections be forced to use the router's server (so don't use the router's DNS if you don't want youtube and twitch blocked).

Caveat: I don't know off the top of my head if Windows or other devices will let you punch in a specific DNS server to use on your connection without also setting up a) that device's ip b) the router's default ip b) the subnet mask as well - so at worst, you might have to set up specific IPs for every device at home. That's not a bad thing however, as it prevents situations where two devices may compete for the same address. It's handy to have a list of everything that wants to connect and number them, then assign them that number so you know for maintanance and if you should check your logs.

To set up a DNS redirect for your phone, we could add the firewall rules:

iptables -t nat -A PREROUTING -s PHONE'S_IP -p udp -m udp --dport 53 -j DNAT --to ROUTER'S_IP
iptables -t nat -A PREROUTING -s PHONE'S_IP -p tcp -m tcp --dport 53 -j DNAT --to ROUTER'S_IP

Notes: This redirects any udp or tcp (dns can use tcp sometimes) going on port 53 (DNS requests) to the router's dns server port instead. ROUTER'S_IP you'll need to enter - this is the IP you can use to access your router's settings and is the default route for your local network.
Also, replace PHONE'S_IP with the IP you've assigned for only your phone.

Any device on the network apart from your phone will be able to access sites as normal, however your phone will try to lookup sites from the router's DNS server and if it finds youtube or twitch, the connection is dropped. This dropping is specific to the IP address you've chosen for this rule. Note that this firewall rule will not survive a reboot so it should go somewhere sensible (perhaps /jffs/firewall-start but you'll have to start it yourself. To check if the rule exists already, do iptables -t nat -S which will show rules for the nat table of your firewall (there are several tables - filter (default); nat (what we're using for this redirection); mangle and raw.)

 

[Scobie]

Thanks for the detailed reply!

The only problem I see with this though is that if I want to block something different on another device, it won't work.
For example if I only want to block youtube on my computer but not twitch.

I will probably use this however if I cannot find another method.

 

[Linux_Chemist]

On your computer, things become much easier because you will have easy access to your system's internals.
So long as you have access to (in the case of the default, dnsmasq) the hosts file, you can simply add the

0.0.0.0 youtube.com

entry etc. to block whatever you want.
Your devices will consult the hosts file before they check the DNS server you've told them.

Unbound goes one step further and means you can run your own resolving DNS server on your pc yourself (highly recommend that as an aside).

The reason why I suggested the long-winded method above is because it can be extremely irritating to get at these files on a phone and may require warranty-voiding procedures (I've not had occasion to do this as I don't have a smartphone - I think you do need to root them to access this.) because they're so locked down (yay phones!). Setting up a hosts file blocklist on your phone alone would meet the task, but you'd have to do some serious digging and I wouldn't be surprised if a future update just bypassed it.
A big thing now is phones switching to DNS over TLS and therefore regardless of what you've set for DNS server to use, if enabled, it contacts cloudflare or google dns servers anyway. I've seen traffic pinging them (icmp) to determine if the device is still in a specific country for example, so if devices decide to send a request to the server for an address in spite of your settings, it's a bit of a kick - you'd have to make sure to block them on that device's firewall if you can't disable DoT, and that's more work lol

If you like, there are some shortcuts in asus's software on the router I was thinking about last night - you can set a certain device's dns server to use in a table that saves you entering firewall rules and it will survive a reboot, it effectively adds the intercept rules permanently and perhaps more easily lol However, you'd still need to have the router do one set of blocking and everyone else manage themselves.

EDIT: Forum posting woes For some reason, it won't let me post the folder location where you can find your hosts file on linux/windows.

 

[Martineau]

Thanks for the detailed reply!

The only problem I see with this though is that if I want to block something different on another device, it won't work.
For example if I only want to block youtube on my computer but not twitch.

I will probably use this however if I cannot find another method.

Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP

and the resulting firewall outbound blocking rules.....

iptables  --line -t filter -nvL FORWARD 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD

Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'

ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq

Reference 'twitch.tv'

nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167

and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs

ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167

Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP

If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.

ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.

Confirm the MACs are now defined in the IPSET

ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"

and create the single (rather than 4) Blocking rule

iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP

 

[Livin]

Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP

and the resulting firewall outbound blocking rules.....

iptables  --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD

Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'

ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq

Reference 'twitch.tv'

nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167

and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs

ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167

Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP

If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.

ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.

Confirm the MACs are now defined in the IPSET

ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"

and create the single (rather than 4) Blocking rule

iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP

This is good info!!!

Big Question... why isnt there an app for this! If this was built-into Diversion or Skynet that would he HUGE!

 

[Scobie]

Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP

and the resulting firewall outbound blocking rules.....

iptables  --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD

Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'

ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq

Reference 'twitch.tv'

nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167

and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs

ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167

Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains

iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP

If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.

ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.

Confirm the MACs are now defined in the IPSET

ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"

and create the single (rather than 4) Blocking rule

iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP

When I looked up the "iptables --line -t filter -nvL FORWARD", I found this, since I put twitch on global URL blocking for the time being:

3        0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0
/0            udp dpt:53 STRING match  "twitch" ALGO name bm TO 65535 ICASE
4        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0
/0           WEBSTR match url twitch  reject-with tcp-reset

Wouldn't it be possible to do something like:

iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD udp dpt:53 STRING match "twitch" ALGO name bm TO 65535 ICASE
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD WEBSTR match url twitch reject-with tcp-reset

 

[Martineau]

Wouldn't it be possible to do something like:

iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD udp dpt:53 STRING match "twitch" ALGO name bm TO 65535 ICASE
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD WEBSTR match url twitch reject-with tcp-reset

Yes

I wrote a script many years ago,.....can't recall if it was 100% reliable...i.e. the search string could conceivably be split between packets, plus of course https won't work

Spoiler: BlockURL.sh

#********************************************************************************************************************************************
#*****  NOTE As of 376.47, if PC Controls is enabled then this script won't work!                                                       *****
#********************************************************************************************************************************************

# This script was written to overcome a 'bug'!.........and overcome the 128 keywords filter limitation?
# Beware that entries added to the FORWARD table WILL be wiped if U turn ON/OFF either the Asus GUI URL or KEYWORD filtering!!
# So if you already had selective routing with forced VPN i.e. no WAN access, then this will be erased allowing supposedly blocked devices
# to use the WAN if their VPN goes down.!

# NOTE: Logically you would expect to add the -j DROP / -j REJECT to the OUTPUT chain, but clearly blocking the results
#       from being returned to the user is what filtering implies!

# Use of IPTABLES for URL filtering is a hack, and the preferred solution would be to use a true Proxy Server such as SQUID
# i.e. for string filtering, there is no guarantee that the search string wouldn't be split across two packets!

# Beware that ALL times are based on UTC, so if on British Summer Time (BST) etc. then you will be an hour out!
#   e.g. Suppose U only want to allow Dailymail access during lunchtime, on BST the following would be actually applied as 13:30 to 14:30!

#          iptables -I FORWARD -m webstr --url Dailymail -p tcp -j REJECT --reject-with tcp-reset
#          iptables -I FORWARD -m webstr --url Dailymail -m time --timestart 12:30 --timestop 13:30 -j ACCEPT


#
#         URLString_match        {keyword | -?}        {reject | drop | accept} {-d | -url | -str}
#
#                           where keyword     text string you wish to filter (case insensitive)
#                                  -?        lists the current URL/STRING filters
#
#                                  reject|accept|drop   
#
#                                  -d        deletes URL and STRING matching rules - keyword is case sensitive
#                                  -url        only creates a URL filter
#                                  -str        only creates a STRING filter
#    e.g.

#        URLString_match        -?
        
#        URLString_match        PorN
#        URLString_match        PorN        -d
#
#        URLString_match        PoRn        reject
#        URLString_match        PoRn        reject    -d

##        URLString_match        sex            reject    -url
#        URLString_match        Middlesex    accept    -url

 

[Scobie]

I have no idea how the iptables command really works, how would I edit/add to rule 3 that this would only be for MAC address XX:XX:XX:XX? If I do that, then I can probably add the global rule again from router.asus.com to edit the 2nd MAC address.

Or maybe does this command actually work:

iptables -I FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url Dailymail -p tcp -j REJECT --reject-with tcp-reset

 

[Scobie]

Ok so after some tinkering I feel like I am getting closer.
The above command does not work, but neither does the above command without the MAC.

Anyway the global blocker adds the following rules:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
2    DROP       udp  --  anywhere             Router              udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
...

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
2    REJECT     tcp  --  anywhere             anywhere            WEBSTR match url twitch  reject-with tcp-reset
...

With the above command

iptables -I FORWARD -m mac --mac-source DA:AD:DA:AD:DA:AD -m webstr --url youtube -p tcp -j REJECT --reject-with tcp-reset

we get the following:

1    REJECT     tcp  --  anywhere             anywhere             MAC DA:AD:DA:AD:DA:ADWEBSTR match url youtube  reject-with tcp-reset

with no space between the MAC address and WEBSTR, which is a little concerning.
But it does not work without the MAC address either, so hopefully we just need to add the FORWARD and INPUT rules, and it would say the same with the MAC address.

 

[Martineau]

Ok so after some tinkering I feel like I am getting closer.
The above command does not work, but neither does the above command without the MAC.

Anyway the global blocker adds the following rules:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
2    DROP       udp  --  anywhere             RT-AC68U-ADAD.       udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
...

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
2    REJECT     tcp  --  anywhere             anywhere            WEBSTR match url twitch  reject-with tcp-reset
...

With the above command

iptables -I FORWARD -m mac --mac-source DA:AD:DA:AD:DA:AD -m webstr --url youtube -p tcp -j REJECT --reject-with tcp-reset

we get the following:

1    REJECT     tcp  --  anywhere             anywhere             MAC DA:AD:DA:AD:DA:ADWEBSTR match url youtube  reject-with tcp-reset

with no space between the MAC address and WEBSTR, which is a little concerning.
But it does not work without the MAC address either, so hopefully we just need to add the FORWARD and INPUT rules, and it would say the same with the MAC address.

The mangled display of the iptables rule is purely cosmetic...

iptables  --line -t filter -nvL FORWARD | grep -i dailymail

1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:ADWEBSTR match url dailymail  reject-with tcp-reset

If you dump the iptables, the rule is correctly revealed

iptables-save | grep -i dailymail

-A FORWARD -p tcp -m mac --mac-source DE:AD:DE:AD:DE:AD -m webstr --url dailymail  -j REJECT --reject-with tcp-reset

Also, the TCP rule works for me..and correctly blocks the LAN device with the matching MAC from accessing the websites/urls

iptables  --line -t filter -nvL FORWARD | grep -iE "dailymail|twitch|bytes"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1       10  3860 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url dailymail  reject-with tcp-reset
2        4  2034 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url twitch.tv  reject-with tcp-reset

 

[Scobie]

The mangled display of the iptables rule is purely cosmetic...

iptables  --line -t filter -nvL FORWARD | grep -i dailymail

1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:ADWEBSTR match url dailymail  reject-with tcp-reset

If you dump the iptables, the rule is correctly revealed

iptables-save | grep -i dailymail

-A FORWARD -p tcp -m mac --mac-source DE:AD:DE:AD:DE:AD -m webstr --url dailymail  -j REJECT --reject-with tcp-reset

Also, the TCP rule works for me..and correctly blocks the LAN device with the matching MAC from accessing the websites/urls

iptables  --line -t filter -nvL FORWARD | grep -iE "dailymail|twitch|bytes"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination 
1       10  3860 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url dailymail  reject-with tcp-reset
2        4  2034 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url twitch.tv  reject-with tcp-reset

Maybe dailymail doesn't use udp, cause when I block dailymail it works but not youtube.
I guess the only thing left is how to type in the two udp commands, the problem is I haven't figured out how to do that yet.

 

[Scobie]

I finally solved it, this is what you want to do to block any domain with URL filtering for a certain MAC address:

iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP

Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.

 

[toaruScar]

Will this still work, if the device is not connected directly to the router, but rather by a switch?

 

[Scobie]

Will this still work, if the device is not connected directly to the router, but rather by a switch?

I don't see why it shouldn't work, try it out!

 

[Livin]

I finally solved it, this is what you want to do to block any domain with URL filtering for a certain MAC address:

iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP

Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.

Where are you entering these iptable commands?

 

[Scobie]

Where are you entering these iptable commands?

Connect to the router via SSH.

 

[Livin]

Connect to the router via SSH.

gotcha... I'm testing OpenDNS to see if that makes it work, easier. It doesnt allow me to exclude or target specific MACs but I can deal with it since OpenDNS can be granular and customized by URL. I'll just change DNS servers for systems (only 1 or 2) that need to get to YouTube, etc

 

[mvadu]

Sorry to comment on this old thread.. I am looking for same result (blocking certain URLs on certain devices, but not whole domains). Does the "iptables --url" method blocks only certain urls matching a pattern or its more of certain domain level block? case in point, I don't want to block google but video searches (with domain=google.com and URL ~tbm=vid)