LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Block all websites for most PCs, and Whitelists some PCs??? (https://www.linuxquestions.org/questions/linux-networking-3/block-all-websites-for-most-pcs-and-whitelists-some-pcs-4175477009/)

Milkman00 09-13-2013 11:40 AM
Block all websites for most PCs, and Whitelists some PCs???
 
Hello all...

So a little bit of context. I have been wracking my brains trying to get this working and have been very unsuccessful. I am trying to get this working using IPTables in a DD-WRT environment. I know this forum isn't specifically for DD-WRT, but since we are talking about Linux commands, I am hoping it is transferable.

Basically, by default, I am trying to block ALL PCs access to all of the internet except 3 sites (Google, Yahoo, and DD-WRT). I have one PC that I listed by MAC address that I want to have full unrestricted access.

This is what I am using (saving it under FIREWALL commands) and it doesn't seem to be working:

Code:
# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Exempt Machine MAC
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
iptables -I wanout -d website1 -j ACCEPT
iptables -I wanout -d website2 -j ACCEPT
iptables -I wanout -d website3 -j ACCEPT

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

Milkman00 09-13-2013 02:07 PM
I reduced my code to this and cannot get my exempted PC to communicate. Any help would be appreciated.

Code:
# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Exempt Machine MAC
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

Milkman00 09-18-2013 06:31 PM
I want to post my final DD-WRT settings for anyone that may read this thread later.

Since MAC based rules don't seem to work on this code DD-WRT v24-sp2 (05/27/13) mini (SVN revision 21676), I had to use IP based exceptions in order to make work the way I want. So that said, I added the machines that I wanted to exempt to have static DHCP assigned IP addresses.

Here is the code that I used:

Code:
# IP Tables White Listing script by phuzi0n -Tek @ DD-WRT Forum :: View topic - White List
# Version 1.1 for older chipsets and/or experimental firmware builds. Please freeze this version. GeeTek.
# URL for this Wiki Page Blocking URLs/IPs - DD-WRT Wiki

# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Exempt Machine IP
#iptables -I wanout -s 192.168.1.2 -j ACCEPT

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
iptables -I wanout -d site1allowed.com -j ACCEPT
iptables -I wanout -d site2allowed.com -j ACCEPT
iptables -I wanout -d site3allowed.com -j ACCEPT
iptables -I wanout -d site4allowed.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable


All times are GMT -5. The time now is 09:32 PM.