[How-to] Adblock Plus filters right on router

[ryzhov_al]

How-to was moved to Wiki.

See How to use Adblock Plus filter subscriptions to provide advertisement filtering to devices.

 

[huotg01]

Great! I added a link to this post in the wiki.

 

[mike7]

I can't to open router itself, how to change iptables rule to allow access?

Found myself: add "-d ! ip" to the rule

 

[hankydysplasia]

Hi. Thank you so much for your tutorial. After lots of trouble before, with the 3.0.0.4.270.25b build everything worked great.

My only question is how can you modify the code to allow for multiple IP address to filter traffic through privoxy? I would like to filter a range of about 10 IPs for all portable devices.

I tried "--src-range 10.0.1.130-10.0.1.139" but it didn't work. When I use "--source 10.0.1.130" it works.

Thanks!

 

[ryzhov_al]

Hi!

My only question is how can you modify the code to allow for multiple IP address to filter traffic through privoxy? I would like to filter a range of about 10 IPs for all portable devices.

I tried "--src-range 10.0.1.130-10.0.1.139" but it didn't work. When I use "--source 10.0.1.130" it works.

Filtering out ip ranges is a next killing feature that Eric will show us in the next release.

 

[RMerlin]

Hi!
Filtering out ip ranges is a next killing feature that Eric will show us in the next release.

I'll provide the code. YOU show them how to use it then

 

[hankydysplasia]

Hi!
Filtering out ip ranges is a next killing feature that Eric will show us in the next release.

echo iptables -t nat -A PREROUTING --source 192.168.0.101 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >> /jffs/scripts/firewall-start

Any chance you could rewrite that command in the OP to support an IP range. Changing it as I asked above still did not work.

Thanks!

 

[ryzhov_al]

I'll provide the code. YOU show them how to use it then

I've finished ipset how-to.

Another example about Peer Guardian functionality right on router has been added.

 

[hankydysplasia]

Thanks again for the reply. I appreciate the help. Your opening post in this thread did an excellent job getting someone who can use the command line but doesn't have programming skills (like me) get adblocking set up on the router. However, I need a little bit more coaching with these IPTables.

Would you mind providing an update with step-by-step adjustment to your instructions in the OP for having Privoxy applied to a range LAN IP's? Or would it take a complete re-working of the tutorial?

 

[hankydysplasia]

Tried again to get it to work. I can't figure out how to debug either so I know what I'm doing wrong. Is it possible to route traffic through Privoxy for a range of LAN IP's, or is ipset just for blocking external IP addresses?

 

[Fraoch]

This sounds great, but when I tried it, my portable device lost all web access entirely!

Does it have to be an iOS/Android device? I'm trying it on a BlackBerry Playbook.

How do I revert these changes?

 

[Fraoch]

I managed to delete the iptables rule that was added, but it seemed to have no effect. (I think you need to save iptables)?

In the end I just reverted to factory defaults and everything is working fine again.

'Twas a bit scary.

 

[ryzhov_al]

How do I revert these changes?

Just delete /jffs/scripts/firewall-start file and reboot router.

In the end I just reverted to factory defaults and everything is working fine again.

I'm late

Still, you may check how privoxy work without /jffs/scripts/firewall-start editing. Just make sure privoxy is started and configure browser to use proxy <ip address of proxy>, port: 3128.

 

[Fraoch]

I'm late

That's OK, my panic is over now.

I just wish it would have worked. Is there any reason this only works on iOS or Android devices?

I can't see what I did wrong following your instructions, all commands executed fine.

It may have something to do with manually assigning the IP. I chose the IP the device was already assigned. I think that still should have worked though?

 

[ryzhov_al]

Is there any reason this only works on iOS or Android devices?

Only a performance: you will not feel any performance degradation while surfing web from gadgets.

I can't see what I did wrong following your instructions, all commands executed fine.

It may have something to do with manually assigning the IP. I chose the IP the device was already assigned. I think that still should have worked though?

You may split this complex task to three independent pieces:

• assign static ip to gadget, reboot router and make sure there is no problem,
• install and run privoxy and make sure it works like I showed before,
• put iptables redirection rule if previous steps are successful.

 

[Serpent]

... configure browser to use proxy <ip address of proxy>, port: 3128.

Thank you Александр for this tip, now I'm using Privoxy as proxy under wireless settings (is available in either Android and IOS). The proxy is specified for every connection (AP). No need to configure proxy in browser and no iptables rule is required.

 

[enr00ted]

Thanks for this.

After further testing is does seems to only work on gadgets. The pc's or macs or linux get very very slow browsing experience and pages that simply don't load. Is this router related ? Limitations ? If I run a dedicated privoxy server will this happen too ?

 

[dbt78]

This sounds great, but when I tried it, my portable device lost all web access entirely!

I had the same problem. Privoxy does not start automatically at reboot with the entware script 'services-start'

Looking in the syslog, I saw that my USB drive was not mounted at the first time:

Jan  1 01:00:18 hotplug[546]: USB /dev/sdb1(ext2) failed to mount at the first try!
Jan  1 01:00:18 Samba Server: daemon is started
Jan  1 01:00:18 hotplug[546]: USB ext2 fs at /dev/sdb1 mounted on /tmp/mnt/sdb1
Jan  1 01:00:18 WAN Connection: WAN was restored.

... probably causing a bad timing in the 'services-start' script sequence.

Finally, I decided to run the entware startup script after be sure that my disk is mounted, in the post-mount' script , that solve the problem. (sdb1 was my entware drive)

#!/bin/sh
if [ $1 = "/tmp/mnt/sdb1" ]
then
  ln -sf $1/entware /tmp/opt
  /opt/etc/init.d/rc.unslung start
fi

 

[bilboSNB]

Thanks for this tutorial. I am wondering if I can adapt this to enforce google safesearch for all devices?

I have never created an iprule or used privoxy before but could:
echo \#!/bin/sh > /jffs/scripts/firewall-start
echo iptables -t nat -A PREROUTING --destination google.com etc -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >> /jffs/scripts/firewall-start
chmod +x /jffs/scripts/firewall-start

work to redirect in conjunction with the rules from here:

http://sourceforge.net/tracker/?func=detail&aid=3508805&group_id=11118&atid=211118

I dont want to filter ads as I understand it will slow the router down. I will need to some sort of dns redirect as well to force use of the google nossl servers.

 

[krabs]

Hi. Thank you so much for your tutorial. After lots of trouble before, with the 3.0.0.4.270.25b build everything worked great.

My only question is how can you modify the code to allow for multiple IP address to filter traffic through privoxy? I would like to filter a range of about 10 IPs for all portable devices.

I tried "--src-range 10.0.1.130-10.0.1.139" but it didn't work. When I use "--source 10.0.1.130" it works.

Thanks!

You must load the right extension
This will work

iptables -t nat -A PREROUTING -m iprange --src-range 10.0.1.130-10.0.1.139 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

It's the same like using --dport without the tcp extension (-m tcp).
That also don't work