Block all websites for most PCs, and Whitelists some PCs???

Milkman00 · 09-13-2013, 11:40 AM

Hello all...

So a little bit of context. I have been wracking my brains trying to get this working and have been very unsuccessful. I am trying to get this working using IPTables in a DD-WRT environment. I know this forum isn't specifically for DD-WRT, but since we are talking about Linux commands, I am hoping it is transferable.

Basically, by default, I am trying to block ALL PCs access to all of the internet except 3 sites (Google, Yahoo, and DD-WRT). I have one PC that I listed by MAC address that I want to have full unrestricted access.

This is what I am using (saving it under FIREWALL commands) and it doesn't seem to be working:

Code:

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine MAC 
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT 

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP) 
iptables -I wanout -d website1 -j ACCEPT 
iptables -I wanout -d website2 -j ACCEPT 
iptables -I wanout -d website3 -j ACCEPT 

# Everything else gets blocked 
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

Milkman00 · 09-13-2013, 02:07 PM

I reduced my code to this and cannot get my exempted PC to communicate. Any help would be appreciated.

Code:

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine MAC 
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT 

# Everything else gets blocked 
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

Milkman00 · 09-18-2013, 06:31 PM

I want to post my final DD-WRT settings for anyone that may read this thread later.

Since MAC based rules don't seem to work on this code DD-WRT v24-sp2 (05/27/13) mini (SVN revision 21676), I had to use IP based exceptions in order to make work the way I want. So that said, I added the machines that I wanted to exempt to have static DHCP assigned IP addresses.

Here is the code that I used:

Code:

# IP Tables White Listing script by phuzi0n -Tek @ DD-WRT Forum :: View topic - White List
# Version 1.1 for older chipsets and/or experimental firmware builds. Please freeze this version. GeeTek.
# URL for this Wiki Page Blocking URLs/IPs - DD-WRT Wiki

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine IP
#iptables -I wanout -s 192.168.1.2 -j ACCEPT

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
iptables -I wanout -d site1allowed.com -j ACCEPT
iptables -I wanout -d site2allowed.com -j ACCEPT
iptables -I wanout -d site3allowed.com -j ACCEPT 
iptables -I wanout -d site4allowed.com -j ACCEPT 

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable