[How-to] Adblock Plus filters right on router

Discussion in 'Asuswrt-Merlin' started by ryzhov_al, Jan 15, 2013.

  1. ryzhov_al

    ryzhov_al Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    487
    Location:
    Russia
    This is HOW-TO for using Adblock Plus filters on router with Merlin's firmware. Better to use it with iOS/Android devices. Using with PC will slow down web surfing because of router performance limitations.
    It's based on privoxy — a proxy server, which will intercept and filter all web-traffic from chosen iOS/Android device.

    Requirements:
    1. Asuswrt-Merlin driven RT-N16/RT-N66U/RT-AC66U router with USB-drive.
    2. Working Entware environment. Please, refer to Eric's how-to for details.

    Setup
    1. Install necessary packages:
    2. Install prepared privoxy configuration file:
    3. Install script for converting AdBlock Plus rules:
    4. Choose AdBlock Plus subscriptions.
    Please, find "URLS=" string in privoxy-blocklist_0.2.sh and put your own subscriptions here. You may sneak subscription URLs in you favourite browser or here. The default subscriptions is a easylistgermany and easylist.
    Now convert AdBlock Plus rules to privoxy format by running:
    5. Choose iOS/Android/PC device where filtering needed.
    Please, go to router's web interface, "LAN > DHCP Server" page, and select "Enable Manual Assignment" button.
    Add your device to "Manually Assigned IP around the DHCP list". Better to do it while device is connected to router: you may select it's MAC from drop-down list and assign an IP address for it, for example "192.168.0.101". Don't forget to push "Apply" button (I did:))
    6. Add web traffic interception rule to iptables.
    where 192.168.0.101 is an IP address from step above.

    Reboot router and check web surfing on chosen device.

    If you want to change AdBlock subscriptions, please remove old ones first:
    then repeat step #4 only.
     
    Last edited: Aug 9, 2013
  2. Log in / Register to remove this ad

  3. huotg01

    huotg01 Senior Member

    Joined:
    Feb 3, 2013
    Messages:
    420
    Location:
    Montreal
    Great! I added a link to this post in the wiki.
     
  4. mike7

    mike7 New Around Here

    Joined:
    Feb 15, 2013
    Messages:
    7
    I can't to open router itself, how to change iptables rule to allow access?

    Found myself: add "-d ! ip" to the rule
     
    Last edited: Mar 10, 2013
  5. hankydysplasia

    hankydysplasia New Around Here

    Joined:
    Mar 11, 2013
    Messages:
    7
    Hi. Thank you so much for your tutorial. After lots of trouble before, with the 3.0.0.4.270.25b build everything worked great.

    My only question is how can you modify the code to allow for multiple IP address to filter traffic through privoxy? I would like to filter a range of about 10 IPs for all portable devices.

    I tried "--src-range 10.0.1.130-10.0.1.139" but it didn't work. When I use "--source 10.0.1.130" it works.

    Thanks!
     
  6. ryzhov_al

    ryzhov_al Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    487
    Location:
    Russia
    Hi!
    Filtering out ip ranges is a next killing feature that Eric will show us in the next release.
     
  7. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,491
    Location:
    Canada
    I'll provide the code. YOU show them how to use it then :D
     
  8. hankydysplasia

    hankydysplasia New Around Here

    Joined:
    Mar 11, 2013
    Messages:
    7
    Any chance you could rewrite that command in the OP to support an IP range. Changing it as I asked above still did not work.

    Thanks!
     
  9. ryzhov_al

    ryzhov_al Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    487
    Location:
    Russia
    I've finished ipset how-to.

    Another example about Peer Guardian functionality right on router has been added.
     
  10. hankydysplasia

    hankydysplasia New Around Here

    Joined:
    Mar 11, 2013
    Messages:
    7
    Thanks again for the reply. I appreciate the help. Your opening post in this thread did an excellent job getting someone who can use the command line but doesn't have programming skills (like me) get adblocking set up on the router. However, I need a little bit more coaching with these IPTables.

    Would you mind providing an update with step-by-step adjustment to your instructions in the OP for having Privoxy applied to a range LAN IP's? Or would it take a complete re-working of the tutorial?
     
  11. hankydysplasia

    hankydysplasia New Around Here

    Joined:
    Mar 11, 2013
    Messages:
    7
    Tried again to get it to work. I can't figure out how to debug either so I know what I'm doing wrong. Is it possible to route traffic through Privoxy for a range of LAN IP's, or is ipset just for blocking external IP addresses?
     
  12. Fraoch

    Fraoch Senior Member

    Joined:
    Jan 16, 2013
    Messages:
    211
    This sounds great, but when I tried it, my portable device lost all web access entirely!

    Does it have to be an iOS/Android device? I'm trying it on a BlackBerry Playbook.

    How do I revert these changes?
     
  13. Fraoch

    Fraoch Senior Member

    Joined:
    Jan 16, 2013
    Messages:
    211
    I managed to delete the iptables rule that was added, but it seemed to have no effect. (I think you need to save iptables)?

    In the end I just reverted to factory defaults and everything is working fine again.

    'Twas a bit scary.
     
  14. ryzhov_al

    ryzhov_al Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    487
    Location:
    Russia
    Just delete /jffs/scripts/firewall-start file and reboot router.

    I'm late:(

    Still, you may check how privoxy work without /jffs/scripts/firewall-start editing. Just make sure privoxy is started and configure browser to use proxy <ip address of proxy>, port: 3128.
     
    Last edited: Apr 11, 2013
  15. Fraoch

    Fraoch Senior Member

    Joined:
    Jan 16, 2013
    Messages:
    211
    That's OK, my panic is over now.:D

    I just wish it would have worked. Is there any reason this only works on iOS or Android devices?

    I can't see what I did wrong following your instructions, all commands executed fine.

    It may have something to do with manually assigning the IP. I chose the IP the device was already assigned. I think that still should have worked though?
     
  16. ryzhov_al

    ryzhov_al Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    487
    Location:
    Russia
    Only a performance: you will not feel any performance degradation while surfing web from gadgets.

    You may split this complex task to three independent pieces:
    • assign static ip to gadget, reboot router and make sure there is no problem,
    • install and run privoxy and make sure it works like I showed before,
    • put iptables redirection rule if previous steps are successful.
     
  17. Serpent

    Serpent Occasional Visitor

    Joined:
    Jul 2, 2012
    Messages:
    20
    Thank you Александр for this tip, now I'm using Privoxy as proxy under wireless settings (is available in either Android and IOS). The proxy is specified for every connection (AP). No need to configure proxy in browser and no iptables rule is required.
     
  18. enr00ted

    enr00ted Regular Contributor

    Joined:
    Apr 18, 2013
    Messages:
    90
    Location:
    Born in Romania, living in Spain
    Thanks for this.

    After further testing is does seems to only work on gadgets. The pc's or macs or linux get very very slow browsing experience and pages that simply don't load. Is this router related ? Limitations ? If I run a dedicated privoxy server will this happen too ?
     
    Last edited: Apr 19, 2013
  19. dbt78

    dbt78 New Around Here

    Joined:
    Apr 7, 2013
    Messages:
    7
    Location:
    France
    I had the same problem. Privoxy does not start automatically at reboot with the entware script 'services-start'

    Looking in the syslog, I saw that my USB drive was not mounted at the first time:
    Code:
    Jan  1 01:00:18 hotplug[546]: USB /dev/sdb1(ext2) failed to mount at the first try!
    Jan  1 01:00:18 Samba Server: daemon is started
    Jan  1 01:00:18 hotplug[546]: USB ext2 fs at /dev/sdb1 mounted on /tmp/mnt/sdb1
    Jan  1 01:00:18 WAN Connection: WAN was restored.
    
    ... probably causing a bad timing in the 'services-start' script sequence.

    Finally, I decided to run the entware startup script after be sure that my disk is mounted, in the post-mount' script , that solve the problem. (sdb1 was my entware drive)

    Code:
    #!/bin/sh
    if [ $1 = "/tmp/mnt/sdb1" ]
    then
      ln -sf $1/entware /tmp/opt
      /opt/etc/init.d/rc.unslung start
    fi
    
     
  20. bilboSNB

    bilboSNB Regular Contributor

    Joined:
    Oct 7, 2011
    Messages:
    138
    Location:
    Isle of Man
    Thanks for this tutorial. I am wondering if I can adapt this to enforce google safesearch for all devices?

    I have never created an iprule or used privoxy before but could:
    echo \#!/bin/sh > /jffs/scripts/firewall-start
    echo iptables -t nat -A PREROUTING --destination google.com etc -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >> /jffs/scripts/firewall-start
    chmod +x /jffs/scripts/firewall-start

    work to redirect in conjunction with the rules from here:

    http://sourceforge.net/tracker/?func=detail&aid=3508805&group_id=11118&atid=211118

    I dont want to filter ads as I understand it will slow the router down. I will need to some sort of dns redirect as well to force use of the google nossl servers.
     
  21. krabs

    krabs Regular Contributor

    Joined:
    Apr 6, 2013
    Messages:
    82
    Location:
    Limburg Belgium
    You must load the right extension :)
    This will work

    Code:
    iptables -t nat -A PREROUTING -m iprange --src-range 10.0.1.130-10.0.1.139 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    
    It's the same like using --dport without the tcp extension (-m tcp).
    That also don't work
     

Share This Page