URL filtering with DD-WRT v23
I recently flashed my Linksys WRT54g with the open source DD-WRT firmware, v23 (12/25/05). I like the extra tuning and control it gives you, but one thing I noticed is that the Website Blocking by URL Address doesn’t work. I tried and tried to get it working but it just wouldn’t go. I would enter my computer’s MAC address into the list of PCs, then add a website URL (www.somesite.com) and save the changes. Then I would try to load www.somesite.com and it would load just fine. But then I got smart.
I did lots of research on the Internet and in the forums, and a few other folks had seen similar problems as well. I did some experimentation and finally got it to work. It seems the problem was, at least for me, when using the web form to add urls, it appends < > at the end of each url. Unfortunately, this breaks the filtering. What I did was use the web form to insert the MAC addresses, then connected to the WRT via telnet.
I then issued this command (I was using a policy #1) (watch for line wrapping):
iptables -I advgrp_1 1 -p tcp -m webstr --url "site1.com" -j REJECT --reject-with tcp-reset
iptables -I advgrp_1 1 -p tcp -m webstr --url "site2.com" -j REJECT --reject-with tcp-reset
This completely cut off access to the unwanted sites (site1.com and site2.com in the example.) If I need to reboot the router, I’ll have to re-enter these commands, but I could probably automate this by using the following:
nvram set rc_firewall="
iptables -I advgrp_1 1 -p tcp -m webstr --url \"site1.com\" -j REJECT --reject-with tcp-reset
iptables -I advgrp_1 1 -p tcp -m webstr --url \"site2.com\" -j REJECT --reject-with tcp-reset"
nvram commit
9 Responses
Leave a Reply
Search
Navigation
|
|
Daily VerseBrothers, I do not consider that I have made it my own. But one thing I do: forgetting what lies behind and straining forward to what lies ahead, I press on toward the goal for the prize of the upward call of God in Christ Jesus. — Philippians 3:13-14 (ESV)
Archives
Categories
Tagsaudio busy year celldweller cisco Clocker consulting dns driving dst family gas prices headphones hot iis industrial install internet mom music networking os x outlook Personal php php4 php5 plugins remix Simmons Consulting soccer boy software summer the office timezone upgrade validation weather Web Development web standards windows WordPress xhtml xmlrpc YouTube Zempt
I’ve never actually tried replacing the firmware on my linksys router. At work, I’ve got some branch offices that I’d love to be able to block all sites except site x, y, and z. In the brief poking I’ve done in the standard Linksys firmware, I don’t think you can do that. Can you in the open source replacement?
Comment by Mat on February 6th, 2006 at 8:45 am
1Yes, the open source firmware CAN do this. check out HyperWRT or OpenWRT.
Comment by Harold DeWayne on March 17th, 2006 at 10:13 pm
2I found this post when trying to fix this exact problem.
I’m on dd-wrt v23 SP2 and it’s been a while since your post, but I thought I would go ahead and post just incase you are on the same version and you never got a fix.
There’s a button labeled “Edit List of PCs” on the top of the Access Restrictions page under the Access Policy section. If you include the IPs or IP range that you want the policy in question to effect, it should work. As soon as I did this, it worked. Like you might have, I assumed a policy would apply to all IP addresses on the network but that wouldn’t fly if, for example, you wanted to shut a user down between 12:00AM and 8:00AM. Obviously, you would shut the whole network down if that were the case.
Comment by big cheez on September 18th, 2006 at 6:55 am
3I’m running dd-wrt v23 SP2. I’d tried to implement URL blocking and had trouble until I entered an IP address range and a Policy Name and then enabled and saved the policy.
Is it possible that you left out either the Policy Name when you specified the MAC address?
Slade.
Comment by Slade Winstone on December 19th, 2006 at 1:18 am
4What do you change to do this for another policy #?
iptables -I advgrp_2 2 -p tcp -m webstr –url “site1.com” -j REJECT –reject-with tcp-reset
or…?
Comment by check on July 24th, 2007 at 3:23 pm
5okay, I got this linksys url block shit working fine without doing so much commands like you did. I simply created a policy like this….. 1. Policy(1) 2. status enable 3. edit list of pcs.. in the pc list or mac list, type in the pc or mac ip u want to block for and save.. after that.. block–24hr —- everyday… now in the blocking url website box put in tis formate: http://www.(website).com… like that.. it shoud work fine.. because u try to ping it in the cmd it should work.. if u try to ping it in the cmd with http://……com shit it dont work.. im glad i got this funky shit working.. took me hours.. bullshit!
Comment by TechPro on September 5th, 2007 at 9:26 pm
6Homie, what do you want for free. Took you hours, took me 10 min. Put the pipe away for your next project. Have a toke, AFTER its done, you will be supprised how much faster it willgo.
Comment by Homie on September 20th, 2007 at 2:20 pm
7Haha too funny. What I need to know is, can I blok more than 6 measley sites???
I block myspace, they go to flickr, I block flickr, they to to youtube, I block youtube, they go to ***.com and on and on and on.
Comment by RickyC on September 20th, 2007 at 2:21 pm
8I just implemented blocking for my house using OpenDNS. It was tricky with the DD-WRT (23SP2). I used the OpenDNS DNS servers in the DD-WRT setup. I had to uncheck ‘Use DNSMasq for DNS’ and make sure all PCs in the house get their DNS from DHCP. I also set up Dynamic address updating (DDNS tab) using OpenDNS’ dnsomatic service. Works quite well and allows you to block whole categories of sites.
One final thing I did is block block.opendns.com on the DD-WRT. I know OpenDNS gets money from advertising on their block pages and that’s how they keep the service free, but some of the links I saw on the ‘block’ page were in categories I wanted blocked, and those links were not blocked, so I figured the best way was to just block the block page.
Comment by MLM on February 24th, 2008 at 9:52 am
9