Help: Using iptables to replicate/enhance urlfilter blocking?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ryo99

New Around Here
Hi All,

I suspect that I am missing something simple but have been stuck and searching through similar threads has helped me solve my issue.

-Using an AC86U with Merlin 386.2.

What I want to do: use iptables to have the same effect as the URLfilter feature in the Firewall section. (Ultimate goal is to have itby mac and/or time of day restrictions, but I am just trying the basics)

First, I want to confirm urlfilter works, and want to block access to discord, so I enable urlfilter for "discord":
- Once enabled the blocking works as expected, it even blocks the app. Great! (Except I cannot have it for specific clients or on a schedule)
- With the urlfilter enabled, I run "iptables -S" I can see 3 rules were added:
Code:
-A INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --string "discord" --algo bm --to 65535 --icase -j DROP
-A FORWARD -i br0 -p udp -m udp --dport 53 -m string --string "discord" --algo bm --to 65535 --icase -j DROP
-A FORWARD -p tcp -m webstr --url discord  -j REJECT --reject-with tcp-reset

In my test. I thought I could take these 3 rules and add them myself. First I turn off the urlfilter then add the following rules:
In theory I should have the same effect as enabling urlfilter correct?
Code:
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --string "discord" --algo bm --to 65535 --icase -j DROP
iptables -I FORWARD -i br0 -p udp -m udp --dport 53 -m string --string "discord" --algo bm --to 65535 --icase -j DROP
iptables -I FORWARD -p tcp -m webstr --url discord -j REJECT --reject-with tcp-reset

After entering, I check to see the rules show (iptables -S and they do,, however it doesn't get blocked as before.
All clients can access discord.com and the app also works.
Either I am missing something, or urlfilter is doing something else that I cannot figure out?

I am not sure how to troubleshoot this further, any thoughts?
 

ColinTaylor

Part of the Furniture
If the client has managed to successfully resolve the discord address it may still be cached locally and/or have already established a connection. So reboot the client to clear that.

Then see if you can resolve the address. nslookup discord.com
 

Ryo99

New Around Here
Thanks for they reply, that set me down the right path. I forgot about IPV6!
Applying the rules to ip6tables worked, I can now experiment to with my additional parameters. Thanks!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top