Is there any way to block certain URLs for certain MAC addresses? (YES - solved)

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

Scobie

New Around Here
I just got a new Asus router and I installed Merlin and Diversion and so far it's looking amazing, big props to the developers.

Anyway, stock Asus only has firewall blocking for every device, and parental controls blocks too many sites.
How do I block URLs for certain MAC addresses? In practice I wanna URL block youtube and twitch on my phone.

- EDIT - SOLUTION:
Log in to your router via SSH and type the following commands,
replacing youtube with the site you wanna block, de:ad:de:ad:de:ad with your MAC address and possibly 192.168.1.1 if your router uses a different IP.
Code:
iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.
 
Last edited:

Linux_Chemist

Occasional Visitor
Others might suggest a solution using builtin stuff, however I know how I would tackle this problem. See what you think :)

First up, the device in question (your phone) needs to get a specific IP address on the LAN. It can't be a randomly assigned one via DHCP from the router. You'll need to go to the LAN/DHCP manual assignment settings and make sure your device (given by its MAC address) is assigned one specific address. e.g. 192.168.1.10. When it's set to be this, disconnect and reconnect to your local SSID/Network and make sure it's got this number.

Next, you'll need to make use of whatever DNS server you have running on the router, whether this is unbound or dnsmasq or otherwise.

If it's unbound, you'll want these entries in a blocklist
Code:
local-zone: "youtube.com" always_nxdomain
local-zone: "twitch.tv" always_nxdomain
If it's dnsmasq, you'll want these entries in a blocklist/hosts file:
Code:
0.0.0.0 youtube.com
0.0.0.0 twitch.tv
And so what I would do is: have every device on your network (pcs, laptops, tablets and so on) all use a fast public DNS server (1.1.1.1 or 8.8.8.8 etc), OR their own instance of unbound for example, and make your phone's DNS connections be forced to use the router's server (so don't use the router's DNS if you don't want youtube and twitch blocked).

Caveat: I don't know off the top of my head if Windows or other devices will let you punch in a specific DNS server to use on your connection without also setting up a) that device's ip b) the router's default ip b) the subnet mask as well - so at worst, you might have to set up specific IPs for every device at home. That's not a bad thing however, as it prevents situations where two devices may compete for the same address. It's handy to have a list of everything that wants to connect and number them, then assign them that number so you know for maintanance and if you should check your logs.

To set up a DNS redirect for your phone, we could add the firewall rules:
Code:
iptables -t nat -A PREROUTING -s PHONE'S_IP -p udp -m udp --dport 53 -j DNAT --to ROUTER'S_IP
iptables -t nat -A PREROUTING -s PHONE'S_IP -p tcp -m tcp --dport 53 -j DNAT --to ROUTER'S_IP
Notes: This redirects any udp or tcp (dns can use tcp sometimes) going on port 53 (DNS requests) to the router's dns server port instead. ROUTER'S_IP you'll need to enter - this is the IP you can use to access your router's settings and is the default route for your local network.
Also, replace PHONE'S_IP with the IP you've assigned for only your phone.

Any device on the network apart from your phone will be able to access sites as normal, however your phone will try to lookup sites from the router's DNS server and if it finds youtube or twitch, the connection is dropped. This dropping is specific to the IP address you've chosen for this rule. Note that this firewall rule will not survive a reboot so it should go somewhere sensible (perhaps /jffs/firewall-start but you'll have to start it yourself. To check if the rule exists already, do iptables -t nat -S which will show rules for the nat table of your firewall (there are several tables - filter (default); nat (what we're using for this redirection); mangle and raw.)
 
Last edited:

Scobie

New Around Here
Thanks for the detailed reply!

The only problem I see with this though is that if I want to block something different on another device, it won't work.
For example if I only want to block youtube on my computer but not twitch.

I will probably use this however if I cannot find another method.
 

Linux_Chemist

Occasional Visitor
On your computer, things become much easier because you will have easy access to your system's internals.
So long as you have access to (in the case of the default, dnsmasq) the hosts file, you can simply add the
Code:
0.0.0.0 youtube.com
entry etc. to block whatever you want.
Your devices will consult the hosts file before they check the DNS server you've told them.

Unbound goes one step further and means you can run your own resolving DNS server on your pc yourself (highly recommend that as an aside).

The reason why I suggested the long-winded method above is because it can be extremely irritating to get at these files on a phone and may require warranty-voiding procedures (I've not had occasion to do this as I don't have a smartphone - I think you do need to root them to access this.) because they're so locked down (yay phones!). Setting up a hosts file blocklist on your phone alone would meet the task, but you'd have to do some serious digging and I wouldn't be surprised if a future update just bypassed it.
A big thing now is phones switching to DNS over TLS and therefore regardless of what you've set for DNS server to use, if enabled, it contacts cloudflare or google dns servers anyway. I've seen traffic pinging them (icmp) to determine if the device is still in a specific country for example, so if devices decide to send a request to the server for an address in spite of your settings, it's a bit of a kick - you'd have to make sure to block them on that device's firewall if you can't disable DoT, and that's more work lol

If you like, there are some shortcuts in asus's software on the router I was thinking about last night - you can set a certain device's dns server to use in a table that saves you entering firewall rules and it will survive a reboot, it effectively adds the intercept rules permanently and perhaps more easily lol However, you'd still need to have the router do one set of blocking and everyone else manage themselves.

EDIT: Forum posting woes :confused: For some reason, it won't let me post the folder location where you can find your hosts file on linux/windows.
 

Martineau

Part of the Furniture
Thanks for the detailed reply!

The only problem I see with this though is that if I want to block something different on another device, it won't work.
For example if I only want to block youtube on my computer but not twitch.

I will probably use this however if I cannot find another method.
Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP
and the resulting firewall outbound blocking rules.....
Code:
iptables  --line -t filter -nvL FORWARD 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD
Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'
Code:
ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq
Reference 'twitch.tv'
Code:
nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167
and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs
Code:
ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167
Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP
If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.
Code:
ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.
Confirm the MACs are now defined in the IPSET
Code:
ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"
and create the single (rather than 4) Blocking rule
Code:
iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP
 

Livin

Regular Contributor
Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP
and the resulting firewall outbound blocking rules.....
Code:
iptables  --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD
Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'
Code:
ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq
Reference 'twitch.tv'
Code:
nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167
and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs
Code:
ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167
Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP
If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.
Code:
ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.
Confirm the MACs are now defined in the IPSET
Code:
ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"
and create the single (rather than 4) Blocking rule
Code:
iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP
This is good info!!!

Big Question... why isnt there an app for this! If this was built-into Diversion or Skynet that would he HUGE!
 

Scobie

New Around Here
Old-skool method: Create a firewall DROP rule for each MAC/Domain pair

e.g. Prevent MAC 'de:ad:de:ad:de:ad' from accessing 'twitch.tv'
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -d twitch.tv -j DROP
and the resulting firewall outbound blocking rules.....
Code:
iptables  --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    1695K 1020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2     136K   13M MyVLANs    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
3     136K   13M MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
4    33844 1817K MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
5        3   132 MyLifx     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Lifx src,dst
<snip>
17       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.194.167      MAC DE:AD:DE:AD:DE:AD
18       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.2.167        MAC DE:AD:DE:AD:DE:AD
19       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.66.167       MAC DE:AD:DE:AD:DE:AD
20       0     0 DROP       all  --  *      *       0.0.0.0/0            151.101.130.167      MAC DE:AD:DE:AD:DE:AD
Unfortunately the 4 auto-created DROP rules (17 to 20) shown above, will only add the IP Addresses for the target domain at the moment the command is executed.

Solution.... use dnsmasq to dynamically populate an IPSET in real-time with all newly discovered IP Addresses used by the target domain

e.g. configure dnsmasq to track all of the IP Addresses used by the two domains 'twitch.tv' /'tiktok.com'
Code:
ipset create BLOCK_Domain hash:net comment

echo -e "ipset=/twitch.tv/BLOCK_Domain\n"    >>/jffs/configs/dnsmasq.conf.add
echo -e "ipset=/tiktok.com/BLOCK_Domain\n"   >>/jffs/configs/dnsmasq.conf.add

etc.

service restart_dnsmasq
Reference 'twitch.tv'
Code:
nslookup twitch.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      twitch.tv
Address 1: 151.101.2.167
Address 2: 151.101.130.167
Address 3: 151.101.194.167
Address 4: 151.101.66.167
and verify that dnsmasq has indeed auto populated the IPSET with the current resolved IPs
Code:
ipset list BLOCK_Domain

Name: BLOCK_Domain
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 604
References: 0
Number of entries: 4
Members:
151.101.2.167
151.101.130.167
151.101.194.167
151.101.66.167
Now you can create a single rule for a specific MAC that will be blocked if the IP address matches any of the target domains
Code:
iptables -A FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m set --match-set BLOCK_Domain dst -j DROP
If you only have a few MACs you wish to restrict, then simply replicate the rule, otherwise, store your list of MACs in another IPSET, and create a single rule to match multiple MACs with the Blocked domains

e.g.
Code:
ipset create MAC hash:mac comment

ipset add MAC de:ad:de:ad:de:ad comment "Joe laptop"
ipset add MAC ba:ad:ba:ad:ba:ad comment "Jane phone"
etc.
Confirm the MACs are now defined in the IPSET
Code:
ipset list MAC

Name: MAC
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 242
References: 0
Number of entries: 2
Members:
DE:AD:DE:AD:DE:AD comment "Joe laptop"
BA:AD:BA:AD:BA:AD comment "Jane phone"
and create the single (rather than 4) Blocking rule
Code:
iptables -A FORWARD -m set --match-set MAC src -m set --match-set BLOCK_Domain dst -j DROP
When I looked up the "iptables --line -t filter -nvL FORWARD", I found this, since I put twitch on global URL blocking for the time being:
Code:
3        0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0
/0            udp dpt:53 STRING match  "twitch" ALGO name bm TO 65535 ICASE
4        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0
/0           WEBSTR match url twitch  reject-with tcp-reset
Wouldn't it be possible to do something like:
Code:
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD udp dpt:53 STRING match "twitch" ALGO name bm TO 65535 ICASE
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD WEBSTR match url twitch reject-with tcp-reset
 

Martineau

Part of the Furniture
Wouldn't it be possible to do something like:
Code:
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD udp dpt:53 STRING match "twitch" ALGO name bm TO 65535 ICASE
iptables -A FORWARD -m mac --mac-source DE:AD:DE:AD:DE:AD WEBSTR match url twitch reject-with tcp-reset
Yes

I wrote a script many years ago,.....can't recall if it was 100% reliable...i.e. the search string could conceivably be split between packets, plus of course https won't work
Code:
#********************************************************************************************************************************************
#*****  NOTE As of 376.47, if PC Controls is enabled then this script won't work!                                                       *****
#********************************************************************************************************************************************

# This script was written to overcome a 'bug'!.........and overcome the 128 keywords filter limitation?
# Beware that entries added to the FORWARD table WILL be wiped if U turn ON/OFF either the Asus GUI URL or KEYWORD filtering!!
# So if you already had selective routing with forced VPN i.e. no WAN access, then this will be erased allowing supposedly blocked devices
# to use the WAN if their VPN goes down.!

# NOTE: Logically you would expect to add the -j DROP / -j REJECT to the OUTPUT chain, but clearly blocking the results
#       from being returned to the user is what filtering implies!

# Use of IPTABLES for URL filtering is a hack, and the preferred solution would be to use a true Proxy Server such as SQUID
# i.e. for string filtering, there is no guarantee that the search string wouldn't be split across two packets!

# Beware that ALL times are based on UTC, so if on British Summer Time (BST) etc. then you will be an hour out!
#   e.g. Suppose U only want to allow Dailymail access during lunchtime, on BST the following would be actually applied as 13:30 to 14:30!

#          iptables -I FORWARD -m webstr --url Dailymail -p tcp -j REJECT --reject-with tcp-reset
#          iptables -I FORWARD -m webstr --url Dailymail -m time --timestart 12:30 --timestop 13:30 -j ACCEPT


#
#         URLString_match        {keyword | -?}        {reject | drop | accept} {-d | -url | -str}
#
#                           where keyword     text string you wish to filter (case insensitive)
#                                  -?        lists the current URL/STRING filters
#
#                                  reject|accept|drop   
#
#                                  -d        deletes URL and STRING matching rules - keyword is case sensitive
#                                  -url        only creates a URL filter
#                                  -str        only creates a STRING filter
#    e.g.

#        URLString_match        -?
        
#        URLString_match        PorN
#        URLString_match        PorN        -d
#
#        URLString_match        PoRn        reject
#        URLString_match        PoRn        reject    -d

##        URLString_match        sex            reject    -url
#        URLString_match        Middlesex    accept    -url
 

Scobie

New Around Here
I have no idea how the iptables command really works, how would I edit/add to rule 3 that this would only be for MAC address XX:XX:XX:XX? If I do that, then I can probably add the global rule again from router.asus.com to edit the 2nd MAC address.

Or maybe does this command actually work:
Code:
iptables -I FORWARD -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url Dailymail -p tcp -j REJECT --reject-with tcp-reset
 
Last edited:

Scobie

New Around Here
Ok so after some tinkering I feel like I am getting closer.
The above command does not work, but neither does the above command without the MAC.

Anyway the global blocker adds the following rules:
Code:
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
2    DROP       udp  --  anywhere             Router              udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
...

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
2    REJECT     tcp  --  anywhere             anywhere            WEBSTR match url twitch  reject-with tcp-reset
...
With the above command
Code:
iptables -I FORWARD -m mac --mac-source DA:AD:DA:AD:DA:AD -m webstr --url youtube -p tcp -j REJECT --reject-with tcp-reset
we get the following:
Code:
1    REJECT     tcp  --  anywhere             anywhere             MAC DA:AD:DA:AD:DA:ADWEBSTR match url youtube  reject-with tcp-reset
with no space between the MAC address and WEBSTR, which is a little concerning.
But it does not work without the MAC address either, so hopefully we just need to add the FORWARD and INPUT rules, and it would say the same with the MAC address.
 
Last edited:

Martineau

Part of the Furniture
Ok so after some tinkering I feel like I am getting closer.
The above command does not work, but neither does the above command without the MAC.

Anyway the global blocker adds the following rules:
Code:
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
2    DROP       udp  --  anywhere             RT-AC68U-ADAD.       udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
...

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "twitch" ALGO name bm TO 65535 ICASE
2    REJECT     tcp  --  anywhere             anywhere            WEBSTR match url twitch  reject-with tcp-reset
...
With the above command
Code:
iptables -I FORWARD -m mac --mac-source DA:AD:DA:AD:DA:AD -m webstr --url youtube -p tcp -j REJECT --reject-with tcp-reset
we get the following:
Code:
1    REJECT     tcp  --  anywhere             anywhere             MAC DA:AD:DA:AD:DA:ADWEBSTR match url youtube  reject-with tcp-reset
with no space between the MAC address and WEBSTR, which is a little concerning.
But it does not work without the MAC address either, so hopefully we just need to add the FORWARD and INPUT rules, and it would say the same with the MAC address.
The mangled display of the iptables rule is purely cosmetic...
Code:
iptables  --line -t filter -nvL FORWARD | grep -i dailymail

1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:ADWEBSTR match url dailymail  reject-with tcp-reset
If you dump the iptables, the rule is correctly revealed
Code:
iptables-save | grep -i dailymail

-A FORWARD -p tcp -m mac --mac-source DE:AD:DE:AD:DE:AD -m webstr --url dailymail  -j REJECT --reject-with tcp-reset
Also, the TCP rule works for me..and correctly blocks the LAN device with the matching MAC from accessing the websites/urls
Code:
iptables  --line -t filter -nvL FORWARD | grep -iE "dailymail|twitch|bytes"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1       10  3860 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url dailymail  reject-with tcp-reset
2        4  2034 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url twitch.tv  reject-with tcp-reset
 
Last edited:

Scobie

New Around Here
The mangled display of the iptables rule is purely cosmetic...
Code:
iptables  --line -t filter -nvL FORWARD | grep -i dailymail

1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:ADWEBSTR match url dailymail  reject-with tcp-reset
If you dump the iptables, the rule is correctly revealed
Code:
iptables-save | grep -i dailymail

-A FORWARD -p tcp -m mac --mac-source DE:AD:DE:AD:DE:AD -m webstr --url dailymail  -j REJECT --reject-with tcp-reset
Also, the TCP rule works for me..and correctly blocks the LAN device with the matching MAC from accessing the websites/urls
Code:
iptables  --line -t filter -nvL FORWARD | grep -iE "dailymail|twitch|bytes"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination 
1       10  3860 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url dailymail  reject-with tcp-reset
2        4  2034 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AC:xx:xx:xx:xx:xxWEBSTR match url twitch.tv  reject-with tcp-reset
Maybe dailymail doesn't use udp, cause when I block dailymail it works but not youtube.
I guess the only thing left is how to type in the two udp commands, the problem is I haven't figured out how to do that yet.
 
Last edited:

Scobie

New Around Here
I finally solved it, this is what you want to do to block any domain with URL filtering for a certain MAC address:
Code:
iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.
 
Last edited:

toaruScar

Occasional Visitor
Will this still work, if the device is not connected directly to the router, but rather by a switch?
 

Livin

Regular Contributor
I finally solved it, this is what you want to do to block any domain with URL filtering for a certain MAC address:
Code:
iptables -I FORWARD -p tcp -m mac --mac-source de:ad:de:ad:de:ad -m webstr --url youtube -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
iptables -I INPUT -d 192.168.1.1/32 -i br0 -p udp -m mac --mac-source de:ad:de:ad:de:ad -m udp --dport 53 -m string --string "youtube" --algo bm --to 65535 --icase -j DROP
Only tcp blocking (the first command) works for some sites, but other sites like youtube uses udp as a backup if tcp doesn't work.
Where are you entering these iptable commands?
 

Livin

Regular Contributor
Connect to the router via SSH.
gotcha... I'm testing OpenDNS to see if that makes it work, easier. It doesnt allow me to exclude or target specific MACs but I can deal with it since OpenDNS can be granular and customized by URL. I'll just change DNS servers for systems (only 1 or 2) that need to get to YouTube, etc
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top