Selective Parental Control in my build of firmware

[Voxel]

I had to organize _selective_ Parental Control on my R7800 i.e.to use Parental Control only for two concrete child's gadgets forcing all the rest devices to use encrypted DNS requests. I.e. only for concrete MAC addresses. I do share this experience, maybe it would be useful for some people.

It is quite easy with my version of firmware. You have just to create your own script in the /opt/scripts directory, with a name firewall-start.sh.

Example: let's suppose that MAC of the first gadget is aa:bb:cc:dd:ee:ff and MAC of second gadget is 11:22:33:44:55:66. IP of e.g. OpenDNS Family is 208.67.222.123. Your script (example):

/opt/scripts/firewall-start.sh

#!/bin/sh
# Parental Control (forward DNS requests to OpenDNS Family DNS)
# Smartphone
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source AA:BB:CC:DD:EE:FF -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source AA:BB:CC:DD:EE:FF -p tcp --dport 53 -j DNAT --to 208.67.222.123
# Windows PC
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 11:22:33:44:55:66 -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 11:22:33:44:55:66 -p tcp --dport 53 -j DNAT --to 208.67.222.123

That's all. Script shoud be executable. Only two devices are using OpenDNS Family DNS server now (after reboot of router). You can continue to use DNSCrypt or stubby for all the rest devices.

Voxel.

 

[Olivier]

Thanks a lot and very useful! I'm in the same situation

 

[Voxel]

Well, forgot to say: to check that it is working just enter to

https://www.perfect-privacy.com/dns-leaktest/

on device you intended to protect (MAC used in your script). You should see OpenDNS servers.

Voxel.

 

[Voxel]

Any ideas what I would use if I wanted to route ALL DNS requests to a certain IP? To force the use of a Pi-Hole adblocker on my network for example?

Why not just to try to setup your Pi- Hole as a DNS in WebGUI?

Well I do not have any local DNS server in my LAN, but you may google your question, e.g.

https://discourse.pi-hole.net/t/use-iptables-on-router-to-force-dns-to-pi-hole/8465

Voxel.

 

[ajp2k14]

Why not just to try to setup your Pi- Hole as a DNS in WebGUI?

Well I do not have any local DNS server in my LAN, but you may google your question, e.g.

https://discourse.pi-hole.net/t/use-iptables-on-router-to-force-dns-to-pi-hole/8465

Voxel.

If I enter my Pi-Hole IP in the DNS WebGUI it won't force all dns requests to that IP right? For example Chromecasts have a hardcoded Google dns.

I realized I should google it so I deleted my post earlier but I guess you beat me to it...

Thanks!

 

[Voxel]

If I enter my Pi-Hole IP in the DNS WebGUI it won't force all dns requests to that IP right? For example Chromecasts have a hardcoded Google dns.

I realized I should google it so I deleted my post earlier but I guess you beat me to it...

Thanks!

Well I see...

OK, just the same scheme with iptables and /opt/scripts/firewall-start.sh script. Good luck. For me Parental Control is more actual ;-)

Voxel.

 

[ajp2k14]

Well I see...

OK, just the same scheme with iptables and /opt/scripts/firewall-start.sh script. Good luck. For me Parental Control is more actual ;-)

Voxel.

Yeah I'll try that, thanks! I also have the need for parental control but I add that to my Pi-hole to redirect to google safesearch, youtube restricted etc. Also tried Cleanbrowsing which is very good I think. Dnscrypt also has some parental goodies built-in...

 

[Dim]

I had to organize _selective_ Parental Control on my R7800 ..
/opt/scripts/firewall-start.sh
...

I create such directory and file with similar code inside. But after router reboot iptables contain no my records.
I try execute script manualy (sh) and row with "tcp" was inserted in iptables, but row with "udp" return error message "...Bad IP address 208.67.222.222"
Can you help me with my questions
1. Why script was not execute after reboot? May be exist some switches for autorun scripts?
2. What wrong with line for "udp"?

 

[Voxel]

1. Why script was not execute after reboot? May be exist some switches for autorun scripts?
2. What wrong with line for "udp"?

Make sure that script is executable

chmod +x /opt/scripts/firewall-start.sh

and that it is in Unix format (LF symbol at the end of each line, but not CR+LF) and that it is ended by LF (new line after last rule).

BTW how do you check that rule is in the table? Checked right now with your 208.67.222.222:

R9000:

iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 159 packets, 20261 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX tcp dpt:53 to:208.67.222.222
    0     0 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX udp dpt:53 to:208.67.222.222
. . .

R7800:

iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 7821 packets, 722K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:XX tcp dpt:53 to:208.67.222.222
  642 43124 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:XX udp dpt:53 to:208.67.222.222
. . .

Very first lines in the output of command "iptables -t nat -L -v -n"

NG uses own firewall program, not direct call of iptables. So this script is the only way. Manual adding these rules will be spoiled after some time.

Voxel.

 

[Dim]

...that it is in Unix format (LF symbol at the end of each line, but not CR+LF) and that it is ended by LF (new line after last rule)...

Thank you very much!
Problem was in CRLF symbol and no new line after last rule

 

[Voxel]

Thank you very much!
Problem was in CRLF symbol and no new line after last rule

Parents should help each other to protect our children. ;-)

Voxel.

 

[Dim]

Hi, Voxel
One more question.
If I connect to router though VPN then this rules didn't work.
May be I should change interface or smth like this in script?

 

[Voxel]

If I connect to router though VPN then this rules didn't work.
May be I should change interface or smth like this in script?

Probably the use of VPN for kids is not good. I am not sure but as far as I know good VPN provider pushes everything including their own DNS from server side config. So I am not sure that changing interface in my script or so will help with your case.

Did not you consider to bypass VPN tunnel for the gadgets of your children? Leaving VPN for all the rest devices.

kamoj add-on allow to do that. Selective bypassing for concrete gadgets:

The add-on adds functionality such as Bypassing OpenVPN Client tunnel.

https://www.snbforums.com/threads/k...800-x4s-and-r9000-x10-temperatures-a-o.55063/

Voxel.

 

[Dim]

Thank you for reply

Probably the use of VPN for kids is not good...

No, I use VPN server on my router and config child phone to connect to home VPN server when the phone connected over cellular. But in this case rules from example did't work

 

[Voxel]

Thank you for reply

No, I use VPN server on my router and config child phone to connect to home VPN server when the phone connected over cellular. But in this case rules from example did't work

Interesting… Probably good idea. Permanent Parental Control over VPN?

So, please correct me if my understanding is wrong. You suppose to use your home OpenVPN server practically exclusively for Parental Control? Plus accessing e.g. home LAN.

Well, it is possible, but my fw is not quite ready “as-is” for this. Depends on what client and what interface is used: tun or tap.

(A) For tap. In general this scheme with selective Parental Control should work but check the MAC address to use in my script. It should be neither Wi-Fi adapter address nor cellular adapter address of your child phone. It should be MAC of OpenVPN adapter on smartphone. You can find it in Attached Device menu of your router when target smartphone is connected by OpenVPN. The only thing: obligatory add the option “block-outside-dns” into your OVPN client config file to prevent the reference to resolvers of cellular network, leaving only OpenDNS. I.e.

. . .
compress lz4-v2
verb 0
sndbuf 786432
rcvbuf 786432
block-outside-dns

(B) For tun. I guess you are using tun for your child phone. A bit more complex. And restriction is that it will apply such Parental Control to any gadget connected to your OpenVPN tun server not only phone of your child.

1. You do not need for this /opt/scripts/firewall-start.sh
2. You have to modify the file /etc/init.d/openvpn :

Replace the string (context)
. . .
$fastio
push "dhcp-option DNS $lan_ipaddr"
client-connect "$push tun"
. . .

by
. . .
$fastio
push "dhcp-option DNS 208.67.222.123"
client-connect "$push tun"
. . .

3. The same: obligatory add this option “block-outside-dns” into OVPN client config file to prevent resolvers of cellular network leaving only OpenDNS resolver.

But again: any gadget connected to your OpenVPN tun server will use OpenDNS servers (Parental Control).

IMO this above should work. I've tested briefly.

Voxel.

 

[Dim]

So, please correct me if my understanding is wrong. You suppose to use your home OpenVPN server practically exclusively for Parental Control? Plus accessing e.g. home LAN.

Yes, exactly
Thank you very much, I'll go try to config so

 

[tarassippo]

Sorry to resuscitate this old thread, but I'd like to know how to restrict Internet access for my son's tablet, e.g. Internet will cut off at a certain time...

I don't see anything implemented in the stock/Voxel firmware to do so, am I right ?

Tia.

 

[Voxel]

Sorry to resuscitate this old thread, but I'd like to know how to restrict Internet access for my son's tablet, e.g. Internet will cut off at a certain time...

I don't see anything implemented in the stock/Voxel firmware to do so, am I right ?

Tia.

Well. Possible but not from GUI. Using the same: iptables. Plus cron (Entware). But it requires some knowledge of Linux (iptables, cron, command line). If it is OK for you.

I.e. scheme would be that by using cron (scheduler) you add your iptables rules to block the MAC of tablet. And allow it using other schedule (deleting previous rule).

Example of blocking by MAC

https://www.cyberciti.biz/tips/iptables-mac-address-filtering.html

Voxel.

 

[tarassippo]

Thanks Voxel, but unfortunately that thousands of miles away from my expertise...

I really don't get it... how come NG's firmware is still so basic...

 

[percy3]

I have created for OpenWrt some additional family filter solution to limit access to particular services during school hours. Maybe someone will be interested to transpose it for Voxel's build. @Voxel and @kamoj feel free to integrate it into the build or add-on if that would make sense.