Block IP address blocks (Youtube) on specific devices?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JohnD5000

Senior Member
I want to block youtube from my son's tablet and a few other devices, but not all devices (He spends way too much time on them instead of homework). I read on internet:

These IP address blocks belong to YouTube:

199.223.232.0 - 199.223.239.255
207.223.160.0 - 207.223.175.255
208.65.152.0 - 208.65.155.255
208.117.224.0 - 208.117.255.255
209.85.128.0 - 209.85.255.255
216.58.192.0 - 216.58.223.255
216.239.32.0 - 216.239.63.255

How can I block these IP addresses for specific devices on my network? Note: The devices will have a static DHCP address (192.168.1.175 for example).

Thanks
 

Martineau

Part of the Furniture
I don't really understand how to use it.
If I wanted to block IP ranges 199.223.232.0 - 199.223.239.255 from device 192.168.1.175 how would I inter that?
Although spoofing a MAC address is considered trivial, ASUS preferred to ban by MAC address rather than IP address (you can perform a lookup of an IP address and extract the current MAC address) then apply firewall rules

e.g. crude incomplete script snippet
Code:
Parse "$(arp -a | tr -d '()' | grep -i "$1")" " " HOSTNAME IPADDR AT MACADDR JUNK

iptables -I FORWARD -m iprange --dst-range 199.223.232.0-199.223.239.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset
iptables -I FORWARD -m iprange --dst-range 207.223.160.0-207.223.175.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset 
iptables -I FORWARD -m iprange --dst-range 208.65.152.0-208.65.155.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset 
iptables -I FORWARD -m iprange --dst-range 208.117.224.0-208.117.255.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset
iptables -I FORWARD -m iprange --dst-range 209.85.128.0-209.85.255.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset 
iptables -I FORWARD -m iprange --dst-range 216.58.192.0-216.58.223.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset 
iptables -I FORWARD -m iprange --dst-range 216.239.32.0-216.239.63.255 -p tcp -m mac --mac-source $MACADDR -j REJECT --reject-with tcp-reset

Not sure how effective the above will be.
 

eibgrad

Very Senior Member
Use of a client-based VPN can thwart your efforts as well.

Be forewarned, blocking some of these megasites can be extremely difficult since they often employ a boatload of domain names and/or public IP addresses. I just did a quick check for youtube.com, www.youtube.com, and m.youtube.com, and got numerous IP addresses in the 172.217.x.x range, which are not even on your list. Even the introduction of an OpenVPN client on the router that has DNS resolved over the VPN could return different public IPs.

That's why it *might* be better, at least in some cases, to use ipset in combination w/ DNSMasq to *dynamically* determine the IPs being resolved from those same domain names, rather than trying to chase down all possible public IPs. Of course, even this approach can be problematic since it assumes the client actually is using DNSMasq for name resolution. All the user has to do is statically configure a public DNS server on their client and it falls apart.

I'm NOT saying you shouldn't try as best you can. But just realize that in the long run, the way the internet and networking are designed, it's nearly impossible to stop a determined and knowledgeable person (or someone who has access to the same, e.g., a classmate). For best (if imperfect results), it may require a combination of strategies, perhaps even blocking well-known VPN services.
 
Last edited:

HellDiver

Regular Contributor
Could I suggest using something like AdGuard Home? It's great for this sort of thing, is free for home use, and runs on anything like a RasPi/NAS/Docker etc.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top