Modify

Opened 6 years ago

Closed 6 years ago

Last modified 3 years ago

#11835 closed enhancement (wontfix)

Firewall - Url and domain filter

Reported by: openwrt Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

Hi, please add the possibility to use domain name and url in option src_ip
Is a very annoying limitation that isn't possible to block site and domain.
Many thanks

Attachments (0)

Change History (11)

comment:1 Changed 6 years ago by jow

  • Resolution set to wontfix
  • Status changed from new to closed

Iptables is the wrong place for this kind of functionality, you might want to look into a transparent proxy solution.

comment:2 Changed 6 years ago by openwrt

  • Resolution wontfix deleted
  • Status changed from closed to reopened

you're right Jow but why I need to install a proxy when others firmware do it with iptables?

Is more simple do something like this:

config rule
        option src              lan
        option dest             wan
        option dest_ip          facebook.com
        option target           REJECT

This feature is complicated to implement?
Many thanks

comment:3 Changed 6 years ago by jow

  • Resolution set to wontfix
  • Status changed from reopened to closed

Yes it is and it will not work like proposed above. Real DNS domain matching in iptables requires complex operations, including u32 matches, string search operations and prefix based delegations to chains in order to do it efficiently.

Merely specifying a domain at rule creation time does not work like you think it does. It will resolve to a single ip which happens to be current in the DNS round robin at that particular time and from then one only match this specific ip. Big sites which use geolocation based DNS round robin balancing will not get filtered this way.

I doubt "other firmwares" do it properly either. Next time when reopening a "wontfix" ticket propose a workable solution or at least a worthwhile approach which can be acted upon.

comment:4 Changed 6 years ago by jow

To extend the above: to filter URLs you need HTTP awareness, a.k.a. an HTTP-Proxy server. To filter domains you need DNS awareness, a.k.a. a DNS-Proxy, neither is a suitable task for iptables which is a layer 3 packet filter, not a layer 7 alg.

comment:5 follow-up: Changed 6 years ago by openwrt

Thanks for your explanation Jow, I switched to gargoyle firmware (openwrt based) that can do it.
Gargoyle and dd-wrt are using a proxy solution?

comment:6 in reply to: ↑ 5 Changed 6 years ago by anonymous

Replying to openwrt:

Thanks for your explanation Jow, I switched to gargoyle firmware (openwrt based) that can do it.
Gargoyle and dd-wrt are using a proxy solution?

DD-WRT uses Squid not sure about Gargoyle. Squid is an installable package in OpenWRT.

comment:7 Changed 6 years ago by openwrt

Thanks again Jow, I will try squid...

comment:8 Changed 4 years ago by ninix

How about a approach like this...

Install IPtables necessaries modules

opkg update
opkg install kmod-ipt-filter iptables-mod-filter

Block the DNS requests for the desired sites. (UDP can be enough, but to be use use TCP as well)
Info: Those ruses should be above any other rules that may allow this specific traffic, otherwise it will have no effect!

#Case [1] when the user is using its own DNS servers...
iptables -A FORWARD -p udp --dport 53 -m string --algo bm --string "facebook.com" -j DROP
iptables -A FORWARD -p tcp --dport 53 -m string --algo bm --string "facebook.com" -j DROP

#Case [2] the router acts as a DNS proxy - IPtables rules
iptables -A INPUT   -p udp --dport 53 -m string --algo bm --string "facebook.com" -j DROP
iptables -A INPUT   -p tcp --dport 53 -m string --algo bm --string "facebook.com" -j DROP

Block DNS requests from OpenWRT DNS service
Note: This will have no effect if the user is using its own DNS servers and not the router
Edit "/etc/dnsmasq.conf" file and append this:

#Case [3] the router acts as a DNS proxy - DNS rules
#List of sites that are blocked by DNS server (ADS/Trackers/Stats/Crap/Etc)
address=/adocean.pl/0.0.0.0
address=/gemius.pl/0.0.0.0
address=/doubleclick.net/0.0.0.0
address=/google-analytics.com/0.0.0.0

address=/facebook.com/0.0.0.0

comment:9 Changed 4 years ago by ninix

Another one is to use OpenNDS services as DNS servers on the router and on the LAN users, then configure parental control on opendns web site...

I know this question is old, but maybe someone may need a solution for this problem.
Cheers!

comment:10 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:11 Changed 3 years ago by anonymous

Ninix, thank you so much for this answer. It did indeed help me out. Thank you!

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.