What's new
By:

Can I block all internet access except for one site?

E

eastavin

Senior Member
I have been asked if I can block internet access for only ONE client of many but allow it to access one or two specific URLs any time. Having looked through the menus on the firmware here I dont see how the exception could be made possible. This device would be on a wired connection only. All Lan to Lan traffic continues to be allowed. Am running 384.5 on rt-ac68u. Any suggestions appreciated!
 
Last edited:
The way you would do this on a Cisco device is with ACLs. You would deny all internet traffic. You need to resolve the IPs for the URLs. Then setup an ACL to allow the URL's IPs. His access needs to be defined to an IP address which can be denied maybe using DHCP. This will not stop outside cell access just the local network.
 
There isn't really a way of doing that in the GUI. Network Services Filter and Parental Control come close but aren't versatile enough to allow exceptions for specific URL's. You might be able to do it with custom scripts if the destination IP addresses never change.
 
eastavin said:
I have been asked if I can block internet access for only ONE client of many but allow it to access one or two specific URLs any time.
Click to expand...

Old-skool:
Code: 
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-my-WAN-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -d www.1stURLOK.com -j ACCEPT -m comment --comment Allow-my-URL-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -d www.2ndURLOK.com -j ACCEPT -m comment --comment Allow-my-URL-ACCESS
etc.
The GUI 'URL Filter' tab attempts to use the fact that without DNS working, then the URL will be unavailable, except of course there is nothing to stop the user entering the nslookup IP address directly into the web browser!

So you will need to store all of the URLs IP addresses in an IPSET, then only two rules are required:
Code: 
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-my-WAN-ACCESS
iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o $(nvram get wan0_ifname) -m set -m set --match-set Allowed_URL dst -j ACCEPT -m comment --comment Allow-my-URL-WAN-ACCESS
You can (in most cases) extract the IPs for a URL domain either manually from the nslookup command or let dnsmasq automatically populate the IPSET by adding the appropriate URLs to the 'IPSET=' directive in dnsmasq.conf.add

NOTE: https://URLs may not be blocked etc. as per the caveats listed on the GUI URL filter page.

Code: 
#!/bin/sh
VER="vDemo"
#======================================================================================== © 2018 Martineau, vDemo

Get_FirmwareVersion() {
    # Assume VVV.nn such as 380.68 but ensure 382.1 is returned as 38201
    local FIRMWARE=$(echo $(nvram get buildno) | awk 'BEGIN { FS = "." } {printf("%03d%02d",$1,$2)}')
    echo $FIRMWARE
}
ANSIColours () {
    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    cRED_="\e[41m";cGRE_="\e[42m"
}
CHAIN_exists() {
    # Args: {FCHAIN_name} [table_name]
    local FCHAIN="$1"
    shift
    [ $# -eq 1 ] && local TABLE="-t $1"
    iptables $TABLE -n -L $FCHAIN >/dev/null 2>&1
    local RC=$?
    if [ $RC -eq 1 ];then
        echo "N"
        return 1
    else
        echo "Y"
        return 0
    fi
}
Firewall(){
    iptables $@ 2>/dev/null         # Suppress error messages
    local FIREWALL_ERROR=$?
    if [ "$FIREWALL_ERROR" -gt 0 ];then             # Report error for "-I" insert and '-A' append actions
        if [ "$1" == "-I" ] || [ "$1" == "-A" ];then
            # Hack using I/O to file!
            iptables $@ 2>/tmp/iptables.error$$; echo -e $cBRED"\t" $(grep "" -m1 /tmp/iptables.error$$);rm /tmp/iptables.error$$       # Hack using I/O to file!
            echo -e "\t\t==> $@"
            return 1
        fi
    fi
    return 0
}

#======================================Main============================================

ANSIColours
FIRMWARE=$(Get_FirmwareVersion)

modprobe xt_comment

RESTRICT_LIST="10.88.8.114"                             # <<=== LAN IPs to be restricted to certain URLs
DOMAIN_LIST="google msn ibm"                            # <<=== Restricted 'keyword'/domains (assumed www.xxx.com)

FCHAIN="myURL"
ICHAIN="myDNS"
VERBOSE=
if [ ! -z "$(echo $@ | grep -ow "status")" ];then
    VERBOSE="n"
fi

for IP in $RESTRICT_LIST
    do
        case $1 in
            off)
                ACTION="-D";;
            on)
                ACTION="-I"
                if [ "$(CHAIN_exists "$FCHAIN")" == "N" ];then
                    iptables -N $FCHAIN
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-WAN-ACCESS
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j REJECT --reject-with tcp-reset  -p tcp -m comment --comment Block-WAN-ACCESS-TCP
                else
                    iptables -F $FCHAIN  2> /dev/null
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j DROP -m comment --comment Block-WAN-ACCESS
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -j REJECT --reject-with tcp-reset  -p tcp -m comment --comment Block-WAN-ACCESS-TCP
                fi
                if [ "$(CHAIN_exists "$ICHAIN")" == "N" ];then
                    iptables -N $ICHAIN
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -j DROP -m comment --comment Block-DNS-ACCESS
                else
                    iptables -F $ICHAIN  2> /dev/null
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -j DROP -m comment --comment Block-DNS-ACCESS
                fi
                ;;
            *)
            echo -e $cBMAG
            iptables -"${VERBOSE}"vL INPUT   --line -t filter | grep -E "Chain INPUT|^num|\/"
            echo -e
            iptables -"${VERBOSE}"vL FORWARD --line -t filter | grep -E "Chain FORWARD|^num|\/"
            echo -e
            iptables -"${VERBOSE}"vL $ICHAIN --line -t filter 2>/dev/null
            echo -e
            iptables -"${VERBOSE}"vL $FCHAIN --line -t filter 2>/dev/null
            echo -e $cRESET
            exit 0
            ;;
        esac

        Firewall $ACTION INPUT -i br0 -s $IP -p udp -m udp --dport 53 -j $ICHAIN -m comment --comment DNS-filtering
        Firewall $ACTION FORWARD -i br0 -s $IP -o $(nvram get wan0_ifname) -j $FCHAIN -m comment --comment URL-filtering

        # For the custom chains, simply wipe them if it's a 'off' (delete) request
        if [ "$ACTION" == "-I" ];then
            for STRING in $DOMAIN_LIST
                do
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j ACCEPT -m comment --comment $STRING
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m webstr  --content "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment $STRING
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m webstr  --content "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    LEN=${#STRING}
                    Firewall $ACTION $ICHAIN -i br0 -s $IP -m string --hex-string "\|03\|www\|$LEN\|$STRING\|03\|com" --algo bm --to 65535 -j LOG
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname) -d www.${STRING}.com -j ACCEPT -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname)  -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                    Firewall $ACTION $FCHAIN -i br0        -p udp -m udp --dport 53 -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -o $(nvram get wan0_ifname)  -m webstr  --url "www."${STRING}".com" -j LOG -m comment --comment www."${STRING}".com
                    Firewall $ACTION $FCHAIN -i br0 -s $IP -m string --string $STRING --algo bm --to 65535 -j LOG -m comment --comment DNS-$STRING
                done
        else
            if [ "$(CHAIN_exists "$ICHAIN")" == "Y" ] || [ "$(CHAIN_exists "$FCHAIN")" == "Y" ];then
                iptables -F $ICHAIN 2>/dev/null
                iptables -X $ICHAIN 2>/dev/null
                iptables -F $FCHAIN 2>/dev/null
                iptables -X $FCHAIN 2>/dev/null
            fi
        fi
    done

# Status....
if [ "$1" != "on" ];then
    echo -e $cBMAG
else
    echo -e $cBGRE
fi
iptables -${VERBOSE}vL INPUT   --line -t filter | grep -E "Chain INPUT|\$FCHAIN|^num|\/"
echo -e
iptables -${VERBOSE}vL FORWARD --line -t filter | grep -E "Chain FORWARD|$FCHAIN\/|^num|\/"
if [ "$1" == "off" ];then
    echo -en $cRED                  # Just in case the custom tables haven't been deleted correctly
else
    echo -en $cBGRE
fi
iptables -${VERBOSE}vL $ICHAIN --line -t filter 2>/dev/null
echo -e
iptables -${VERBOSE}vL $FCHAIN --line -t filter 2>/dev/null
echo -e $cRESET


exit 0

Sadly you may need to deploy a proxy to meet your requirements
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Firewall rule to block firmware updates
Replies
5
Views
1K
JGrana
JGrana
I
Challenge with tunneling internet for WG site to site from the server side
Replies
8
Views
1K
ivannn
I
I
block internet access for wifi clients on RT-AX88U Pro
Replies
5
Views
2K
YumeHatsuyuki
YumeHatsuyuki
R
OpenVPN client can't connect to local resources over port 80/443, but can ping them by IP
Replies
6
Views
1K
RRands
R
Lee MacMillan
Can no longer access router GUI
Replies
6
Views
814
jerry6
jerry6
Similar threads
Thread starter Title Forum Replies Date
I block internet access for wifi clients on RT-AX88U Pro Asuswrt-Merlin 5
B IPv6 /56 block? Asuswrt-Merlin 12
M Site-to-site OVPN - block specific IP range on server side from reaching client side? Asuswrt-Merlin 6
L i have a public ip block with dns names but when set domain router does not resolve them Asuswrt-Merlin 1
M Adguard over Wireguard vpn to block streaming advertisements? Asuswrt-Merlin 5
S Firewall rule to block firmware updates Asuswrt-Merlin 5
S Can't block domain Asuswrt-Merlin 11
K Block AI Crawlers Asuswrt-Merlin 12
R RT-BE96U (Merlin) + Xfinity TG4482A (Bridge) - Periodic Internet Loss (every 3-4 weeks) Asuswrt-Merlin 11
C How to set VLAN ID for internet connection on RT-BE92U Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 2,040 (members: 19, guests: 2,021)
Back
Top