URL filtering with DD-WRT v23
I recently flashed my Linksys WRT54g with the open source DD-WRT firmware, v23 (12/25/05). I like the extra tuning and control it gives you, but one thing I noticed is that the Website Blocking by URL Address doesn’t work. I tried and tried to get it working but it just wouldn’t go. I would enter my computer’s MAC address into the list of PCs, then add a website URL (www.somesite.com) and save the changes. Then I would try to load www.somesite.com and it would load just fine. But then I got smart.
I did lots of research on the Internet and in the forums, and a few other folks had seen similar problems as well. I did some experimentation and finally got it to work. It seems the problem was, at least for me, when using the web form to add urls, it appends < > at the end of each url. Unfortunately, this breaks the filtering. What I did was use the web form to insert the MAC addresses, then connected to the WRT via telnet.
I then issued this command (I was using a policy #1) (watch for line wrapping):
-
iptables -I advgrp_1 1 -p tcp -m webstr --url "site1.com" -j REJECT --reject-with tcp-reset
-
iptables -I advgrp_1 1 -p tcp -m webstr --url "site2.com" -j REJECT --reject-with tcp-reset
This completely cut off access to the unwanted sites (site1.com and site2.com in the example.) If I need to reboot the router, I’ll have to re-enter these commands, but I could probably automate this by using the following:
-
nvram set rc_firewall="
-
iptables -I advgrp_1 1 -p tcp -m webstr --url \"site1.com\" -j REJECT --reject-with tcp-reset
-
iptables -I advgrp_1 1 -p tcp -m webstr --url \"site2.com\" -j REJECT --reject-with tcp-reset"
-
nvram commit
I’ve never actually tried replacing the firmware on my linksys router. At work, I’ve got some branch offices that I’d love to be able to block all sites except site x, y, and z. In the brief poking I’ve done in the standard Linksys firmware, I don’t think you can do that. Can you in the open source replacement?
Yes, the open source firmware CAN do this. check out HyperWRT or OpenWRT.
I found this post when trying to fix this exact problem.
I’m on dd-wrt v23 SP2 and it’s been a while since your post, but I thought I would go ahead and post just incase you are on the same version and you never got a fix. :)
There’s a button labeled “Edit List of PCs” on the top of the Access Restrictions page under the Access Policy section. If you include the IPs or IP range that you want the policy in question to effect, it should work. As soon as I did this, it worked. Like you might have, I assumed a policy would apply to all IP addresses on the network but that wouldn’t fly if, for example, you wanted to shut a user down between 12:00AM and 8:00AM. Obviously, you would shut the whole network down if that were the case.
I’m running dd-wrt v23 SP2. I’d tried to implement URL blocking and had trouble until I entered an IP address range and a Policy Name and then enabled and saved the policy.
Is it possible that you left out either the Policy Name when you specified the MAC address?
Slade.
What do you change to do this for another policy #?
iptables -I advgrp_2 2 -p tcp -m webstr –url “site1.com” -j REJECT –reject-with tcp-reset
or…?
okay, I got this linksys url block shit working fine without doing so much commands like you did. I simply created a policy like this….. 1. Policy(1) 2. status enable 3. edit list of pcs.. in the pc list or mac list, type in the pc or mac ip u want to block for and save.. after that.. block–24hr —- everyday… now in the blocking url website box put in tis formate: www.(website).com… like that.. it shoud work fine.. because u try to ping it in the cmd it should work.. if u try to ping it in the cmd with http://……com shit it dont work.. im glad i got this funky shit working.. took me hours.. bullshit!
Thx TechPro,
Finally someone who can explain it briefly and correct…
PS: reboot router afterwards for immediate effect, it only works after the to block client PC reconnects..
Cheers to all
Homie, what do you want for free. Took you hours, took me 10 min. Put the pipe away for your next project. Have a toke, AFTER its done, you will be supprised how much faster it willgo.
Haha too funny. What I need to know is, can I blok more than 6 measley sites???
I block myspace, they go to flickr, I block flickr, they to to youtube, I block youtube, they go to ***.com and on and on and on.
I just implemented blocking for my house using OpenDNS. It was tricky with the DD-WRT (23SP2). I used the OpenDNS DNS servers in the DD-WRT setup. I had to uncheck ‘Use DNSMasq for DNS’ and make sure all PCs in the house get their DNS from DHCP. I also set up Dynamic address updating (DDNS tab) using OpenDNS’ dnsomatic service. Works quite well and allows you to block whole categories of sites.
One final thing I did is block block.opendns.com on the DD-WRT. I know OpenDNS gets money from advertising on their block pages and that’s how they keep the service free, but some of the links I saw on the ‘block’ page were in categories I wanted blocked, and those links were not blocked, so I figured the best way was to just block the block page.
Personally, I use IPTABLES to block websites and keep the list in a text file so I can reload it if I happen to lose firewall settings (for whaterver reason).