1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Restriction problem (All exept...)

Discussion in 'Tomato Firmware' started by Icefire55, Aug 15, 2013.

  1. Icefire55

    Icefire55 Reformed Router Member

    Hi all,

    I just bought an Asus RT-N66U and installed Tomato 1.28-AIO and ran in a problem.

    When setting a rules, I made it all day, normal access restriction, all exept (my ip and MAC address)

    than added facebook and other sites that I don't want employes surfing on the job.

    Now it return timeout for all computer, even those listed in the exept...

    Doing ls -l /etc/iptables* cat /etc/iptables iptables -L -n -v

    Returns:

    :rdev01 - [0:0]
    -A rdev01 -s 192.168.2.40 -j RETURN
    -A rdev01 -s 192.168.2.41 -j RETURN :restrict - [0:0]

    -A FORWARD -o vlan2 -j restrict
    -I INPUT 1 -p udp --dport 53 -j restrict
    :rres01 - [0:0]
    :rstr01 - [0:0]
    -A rres01 -p tcp -m multiport --dports 53,80,443 -j rstr01
    -A rres01 -p udp --dport 53 -j rstr01
    -I rstr01 1 -p tcp -m string --string "facebook" --algo bm --from 1 --to 600 -j logreject
    -I rstr01 1 -p udp -m string --string "facebook" --algo bm --from 1 --to 600 -j REJECT
    Chain rstr01 (2 references)
    pkts bytes target prot opt in out source destination
    1746 112K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "facebook" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
    194 141K logreject tcp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "facebook" ALGO name bm FROM 1 TO 600

    Any idea?
     
  2. koitsu

    koitsu Network Guru Member

    You should be extremely careful with the string-based blocking for facebook. Details:

    First, a very/extremely long thread discussing this whole ordeal in great technical detail should be read. There are many (read: extremely large) caveats to using the string module:

    http://www.linksysinfo.org/index.ph...ccess-restriction-block-https-websites.45988/

    1. Rule is literally blocking any TCP packet that has the ASCII string "facebook" in it within the first 600 bytes of the packet. That means on occasion web pages which contain the string "facebook" and happen to include that string in a subsequent packet (i.e. payload let's say is 4000 bytes, MTU is 1500, so 3 TCP packets would be needed to deliver the content), would be blocked. The same goes for, say, an Email that contains the string "facebook". The client attempting to send the mail/visit the page/etc. would just suddenly time out indefinitely, upsetting the client's TCP stack, and upsetting the server side as well.

    2. Rule is case-sensitive; someone visiting www.Facebook.com (if the browser doesn't turn the URL into lowercase equivalent) would work. There is no workaround for this at this time. The only "hackery" (loosely phrased) to make this work I've heard of is in EasyTomato, mentioned here.

    3. People are still able to visit things like Facebook Content Delivery Network URLs (often ending in fbcdn.net), as such does not involve the string "facebook" in the packet payload anywhere.

    4. Facebook content and pages do not use UDP; I can clearly see you chose "Both" for the protocol list, rather than TCP.

    5. It won't deal with web browsers which don't include the SNI portion of the site name they're attempting to visit in the relevant portion of the HTTPS packet when visiting HTTPS URLs; such browsers will always get past the block.

    5. It looks like the TCP rule may have been cut off prematurely; it looks like it may not be using --reject-with tcp-reset, and needs to be. I explain why here. (That thread/post should also be read in full, because I allude to the fact that the string module is dangerous -- people wanted it, so it was added, with me screaming "be familiar with how this works!" -- the older (non-string) method did not work with HTTPS, but was a custom module that actually looked at only the HTTP headers and did the Right Thing(tm) in most cases).

    My advice to you if you're trying to ensure your employees can't access a particular site is to invest in an actual decent HTTP/HTTPS proxying appliance (or a decent Linux machine running squid) and do things that way. It allows you reliable, yet highly flexible, ways of blocking access to HTTP and HTTPS sites and won't risk hurting other protocols. The string module above has all sorts of caveats as I've described, many of which users are not aware of, then suddenly show up on forums complaining that "randomly" certain sites/etc. are getting blocked, sometimes Email doesn't work, some IM messages don't get through, etc...

    I cannot help past this point.
     
  3. Monk E. Boy

    Monk E. Boy Network Guru Member

    Another option for blocking facebook would to be to create dummy DNS records for facebook.com, fbcdn.net, etc. that point to a NAT address that doesn't resolve.

    For example, under Advanced -> DHCP/DNS create records like...

    address=/.facebook.com/10.255.255.1
    address=/.fbcdn.net/10.255.255.1

    Note this is only effective if you prevent people from using third party DNS by checking the "intercept DNS port (UDP 53)" on that same page. For better coverage you would need something equivalent to OpenDNS to block them from using anonymization & VPN services, which allows them get around DNS blocks.
     
  4. Icefire55

    Icefire55 Reformed Router Member

    Hi all,
    Thanks for the reply.

    Well using the Access restriction seems to work good, as I didn't have any false block to it.
    The original firmware on the FSV firewall I was using before switching to the new router was working good, I would put Trusted IP (my local ip) and all access restriction would be bypassed.

    We are a small corp. with 7 employees and even if I would get some false positive sometimes, it's not too bad. We cannot lay off people easily (too competitive domain and not enought workforce) so I have to do something.

    I have blocked about 20 site, which are those I see in the logs from the past. but still, I need to access some and the "all exept..." is not working. I would guess it's a bug as I have my IP, MAC in it and still, I can't get it to work.
     
  5. Icefire55

    Icefire55 Reformed Router Member

    Well after some more testing, there is definetly a bug in Tomato Script.
    'Applies to all exept...' part doesn't work at all, but the "Applies to the following" work good if I plug ips or ip range.

    Where to report it?
     
  6. mstombs

    mstombs Network Guru Member

    You have reported it by posting here:- but would be better to check latest Toastman/Shibby/Victek and report specific versions at fault with them in appropriate thread or forum (Shibby has fault log system).

    If you look at the full output of

    Code:
    iptables -nvL
    iptables -nvL -t nat
    can you see a syntax error?
     
  7. Icefire55

    Icefire55 Reformed Router Member

    Chain INPUT (policy DROP 1 packets, 28 bytes)
    pkts bytes target prot opt in out source destination
    0 0 restrict udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    17 6122 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 shlimit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
    0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    5 276 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    10 719 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    4 352 restrict all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    4 352 monitor all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    10 719 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 18 packets, 8406 bytes)
    pkts bytes target prot opt in out source destination

    Chain logdrop (0 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 39 level 4 prefix `DROP '
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain logreject (16 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 39 level 4 prefix `REJECT '
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

    Chain monitor (1 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 WEBMON --max_domains 2000 --max_searches 2000

    Chain rdev01 (1 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.200-192.168.2.255
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.20-192.168.2.39
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.180-192.168.2.199
    4 352 rres01 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]

    Chain restrict (2 references)
    pkts bytes target prot opt in out source destination
    4 352 rdev01 all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain rres01 (1 references)
    pkts bytes target prot opt in out source destination
    0 0 rstr01 tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,80,443
    0 0 rstr01 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
     
  8. Icefire55

    Icefire55 Reformed Router Member

    Chain shlimit (1 references)
    pkts bytes target prot opt in out source destination
    0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:443
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:143
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.100 udp dpt:143
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:25
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:1723

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    Chain PREROUTING (policy ACCEPT 9 packets, 480 bytes)
    pkts bytes target prot opt in out source destination
    0 0 WANPREROUTING all -- * * 0.0.0.0/0 OUTPUTIPHERE
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.2.0/24

    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    0 0 SNAT all -- * br0 192.168.2.0/24 192.168.2.0/24 to:192.168.2.1

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain WANPREROUTING (1 references)
    pkts bytes target prot opt in out source destination
    0 0 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.2.1
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.100
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.100
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:192.168.2.100
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:143 to:192.168.2.100
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.2.100
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 to:192.168.2.100


    Sorry I didn't know how to post it other than this.

    All look good..
     

Share This Page