1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Deny all web browsing with small exceptions

Discussion in 'Tomato Firmware' started by smapdi, Jan 8, 2007.

  1. smapdi

    smapdi Network Guru Member

    Hey all, I wanted to deny browsing to any website except google and a couple of others. Access control doesn't seem to be what I need so I was going to do it with iptables but I can't seem to get it to work.The commands I'm putting in for a startup script are:

    iptables -I FORWARD -p tcp --sport 25 -j DROP
    iptables -I FORWARD -p udp --sport 25 -j DROP
    iptables -I FORWARD -p tcp -d 0/0 -j DROP
    iptables -I FORWARD -p tcp -d google.com -j ACCEPT

    It is my understanding that the last rule should open up anything the previous one closed which is traffic to google.com but it does not appear to be working. What is it that I am doing wrong?
  2. digitalgeek

    digitalgeek Network Guru Member

    have you tried to set this up with the GUI?
  3. GeeTek

    GeeTek Guest

    According to my understanding, packets are matched by rule order. If the first rule in your list denies everything, every and all packets match that rule, and subsequent rules will never come into play.

    Edit - Even so, if allowing only google traffic is the objective, why not put the "allow google" rule first, and then block whatever is left over ?
  4. smapdi

    smapdi Network Guru Member

    digitalgeek: As I understand it the web interface has the ability to deny all, if there is a way to put in exceptions that would work great for me.

    GeeTek: I've tried reversing the order but I get the same results.
  5. GeeTek

    GeeTek Guest

    I think the IP tables rules will affect only the single IP address that nslookup returns. This may be a cause of some of your snag since any one website will typically associate with numerous IP addresses. The access restictions in the GUI do allow blocking by URL, but I do not see where these rules can be inverted to become an allow rule. What you need is a white list based on URL, and I'm not sure that our lovely Tomato has that ability. Hopefully DigitalGeek or someone else will know of a way to do it.
  6. pharma

    pharma Network Guru Member


    You probably know about it, but have you seen Jon's Flash video regarding setting up Access Restrictions? It's on his website, or see the link below ...


    Hope this helps.
  7. smapdi

    smapdi Network Guru Member

    pharma: Yea, that would work if I only needed to blacklist sites but I need a whitelist too for sites that are allowed. Thanks tho.
  8. azeari

    azeari LI Guru Member

    heh i have a qn. Whats the point of blocking ALL sites when you want to allow google.

    Google is a search engine, and returns links related to the search topic, and thus it WILL DEFINATELY lead to links outside your list. isn't it self-defeating to allow google then?
  9. smapdi

    smapdi Network Guru Member

    azeari: Often, the blurb on the bottom of each search on google gives you the answer to whatever you're looking for. Otherwise most sites have been cached on google which allows you to view them. I trust that most sites that have malicious content won't be correctly cached and therefore harmless. Now if a site redirects to the non-cached version then the blacklist should kick in and block the site which does not defeat only allowing google and a few select sites.

    The reason I am doing this is that it is a corporate laptop connected to a DSL line which is separate from any corp. network. It is used for testing of corp. websites and quick lookups on google (hence the need for access to google.) Unfortunately people have been using the laptop for personal use and have gone to some websites that have caused the computer to get a slew of adware, spyware and trojans. I don't want to keep having the thing re-imaged cause some bonehead checked and email on yahoo and got linked to some virus-infested site.

    Is that enough justification?
  10. pharma

    pharma Network Guru Member

    Sounds like you need something like Parental Control in the Zone Alarm Suite ... You can download a free 30 day beta to see if it's what you need. Examples of these site categories you can block are below:

    To download

    Hope this helps ...
  11. u3gyxap

    u3gyxap Network Guru Member

    Try with this:
    iptables -I FORWARD -p tcp --dport www -j DROP
    iptables -I FORWARD -p tcp -d -j ACCEPT
  12. smapdi

    smapdi Network Guru Member

    pharma: Thanks for the advice but a software solution won't work for me because a user can just disable it.

    u3gyxap: Thanks for the code, it did exactly what I needed and I was able to add the allowed sites as exceptions.
  13. u3gyxap

    u3gyxap Network Guru Member

    Most welcome :)
  14. GhaladReam

    GhaladReam Network Guru Member

    I'm actually trying to implement something similar to this, but I'm not familiar with iptables. Would someone be able to elaborate on what the -i, -p, -j, -d do and what is the IP? and does "www" translate to port 80?

    And where would I continue to add my allowed sites, and what might the structure look like?

  15. roadkill

    roadkill Super Moderator Staff Member Member

    Hope this interpretation helps ;)

    iptables -I FORWARD -p tcp --dport www -j DROP
    -I FORWARD Insert in chain Forward Packet
    -p tcp protocol tcp
    --dport www Destination Port www
    -j DROP Jump Drop Packet
    iptables -I FORWARD -p tcp -d -j ACCEPT
    -I FORWARD Insert in chain Forward Packet
    -p tcp protocol tcp
    -d Destination google.com
    -j ACCEPT Jump Accept Packet
  16. smapdi

    smapdi Network Guru Member

  17. kcallis

    kcallis Network Guru Member

    Setting up proxy for kids computer

    My daughter (whom I home school) seems to be never be able to to focus on her work because she is too caught up with her boy bands. Although I have restrictions in place, I need to figure out if I can put a proxy on tomato to provide blocking of websites or even searches of her various boy bands.
    For instance, Monday through Friday from 7:30AM to 6:00PM, any searches for her group of the week is blocked, until 6:01PM to 9:00PM, which is will be open, and then closes off the internet access (specifically HTTP, HTTPS, IM, IRC) until 7:29AM the next morning. I need to allow for P2P to keep flowing, because I have movies, ect. downloading through the night.
    Normally, I would use squid, but I would rather try to install a proxy that is installed on my tomato. Any pointers would be greatly appreciated!
  18. GeeTek

    GeeTek Guest

    The access restrictions have the ability to block by key word which sounds like what you need. What are the restrictions that you mention already having in place ?
  19. kcallis

    kcallis Network Guru Member

    Restriction in place

    Current I have something like this:

    Weekdays: M-Th 7:30-6:30
    HTTP Request: B5 Rhianna

    Lights out : M-Th 9:30-7:30A
    TCP, dst 80,443

    Weekend: F-Su 11:30P-7:00A
    TCP, dst 80,443

    I think what I am doing is closing off http ports, while allowing things like P2P to continue running. Also, blocking B5 Rhianna keyword between the weekday hours of 7:30-6:30.

    Does that sound about right?
  20. GeeTek

    GeeTek Guest

    No, that does not sound right. What kind of a twisted psyco are you ? Rhianna should NEVER EVER be blocked under any circumstances. The rest of yer rules look pretty good.
  21. ng12345

    ng12345 LI Guru Member

    Is there any way to set up white listing in tomato using the Access Restriction gui?

    I am interested in allowing different computers on the network access to different sites -- while the gui allows different computers to be blocked from different sites, it doesn't allow the reverse -- is there an easy way to do this, or will i need to set it up manually through iptables?

    if iptables is the only way is there a specific way to drop all packets that are requested by a particular computer (i.e. drop all packets that computer A requests but allow those that computer B requests).

  22. u3gyxap

    u3gyxap Network Guru Member

    iptables -I FORWARD -s xxx.xxx.xxx.xxx -j DROP
    replace xxx with the IP address of computer A to drop all of his packets. This can be also done in the gui by blocking the internet.
  23. ng12345

    ng12345 LI Guru Member

    Thanks for that code -- I would like to take it a step further, similar to what the OP did and have specific computers have access to specific sites

    iptables -I FORWARD -p tcp -s --dport www -j DROP
    iptables -I FORWARD -p tcp -s -d -j ACCEPT

    Would this block all websites except for google for, yet allow to access everything?

    Ultimately 5 computers on the LAN will only have access to about 10 sites (office computers), while 2 computers will have access to everything (personal computers) the last computer will have access to only 1 site (server).
  24. u3gyxap

    u3gyxap Network Guru Member

    It look right, just that google.com has many ip addressed and they get changed from time to time. Now I beleive they have these also:
    And probably many others. You need to add them too. Google.com resolves to different IPs for different parts of the world, for different regional settings on your computer, and probably for different times of the day... Try and see how it goes.
    It would be best if you create another table, in which the packets are checked against a list of defined networks/hosts.
  25. abubin

    abubin Addicted to LI Member

    seems like a lot of people require the whitelisting feature.

    I failed to check this feature after testing tomato and loving it very much compared to dd-wrt. But now, a simple feature like whitelisting is not even there. Okay maybe it seems simple to a noob like me but sorry for saying but this is a very basic feature when tomato can do a lot of other complicated stuffs like QOS and BW limiter.

    IP tables solution does not work for me because I want to block by MAC address. These sneaky few fella in the company does know how to change their IP manually. At least locking them to MAC mean the only way they can circumvent this is to change their USB WiFi with another user.

    summarize, I want to block certain users by mac address from going into the internet at all except for a few sites like windows update and antivirus update site.
  26. jan.n

    jan.n Addicted to LI Member

    Wow, you dug up quite an old thread...


    IMHO it's something like
    iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
    but I don't really know if that's available in Tomato...
  27. Toastman

    Toastman Super Moderator Staff Member Member

  28. abubin

    abubin Addicted to LI Member

    hehe...if they decided to use programs to change their MAC then I will implement MAC address locking to only listed devices.

    Like I said, I don't want to block ALL.

    I want to block all EXCEPT site1, site2 and site3.

    Anyone can tell if other tomato mods support this or if other linksys modded firmware can do this?
  29. Fabre

    Fabre Networkin' Nut Member

    Bump for an old thread since I can't seem to find an answer for this.

    Is there an easy way to setup a whitelist and block other websites with Tomato?

    If not is there another firmware that can do this? (WRT54GL)
  30. agidi

    agidi LI Guru Member

    Hi guys, bumping the thread.
    I managed to get this working to a point.

    We need to block 15 out of 20 computers from the internet.
    We used google apps. So every computer needs access to that.
    This blocks the internet except for google stuff.

    iptables -I FORWARD -p tcp --dport www -j DROP
    iptables -I FORWARD -p tcp -d -j ACCEPT
    iptables -I FORWARD -p tcp -d -j ACCEPT
    iptables -I FORWARD -p tcp -d -j ACCEPT
    iptables -I FORWARD -p tcp -d -j ACCEPT
    iptables -I FORWARD -p tcp -d 774.125.244.0/22 -j ACCEPT

    Now how do I add the MAC addresses of the exception computers?
    examples are appreciated :) thanks.

Share This Page