rule to limit web access to only a given site?

Discussion in 'Tomato Firmware' started by vexingv, May 28, 2008.

  1. vexingv

    vexingv LI Guru Member

    I've been trying to figure out how I can limit all web/http access to one site (let's say nytimes.com for example) on a given machine/MAC. The access restriction rules only deny access, but doesn't allow for the creation of a "white list." Is there some way I might be able to do this?

    Thanks.
     
  2. nvtweak

    nvtweak LI Guru Member

    looks like a job for iptables..

    iptables -I FORWARD -s 192.168.1.0/24 -d ! nytimes.com -j DROP
     
  3. ales85

    ales85 Network Guru Member

    Hey!

    I have a question almost exact to upper one. How do I allow access to 2 sites for example? I tryied using two rules like those just different sites but then nothing is getting through. Also maybe someone could look at my rules and give me some tips:
    ______________________________
    iptables -F

    iptables -A FORWARD -j wanin
    iptables -A FORWARD -j wanout
    iptables -A FORWARD -j upnp

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -p tcp -s 192.168.8.17 -d 192.168.8.1 --sport 513:65535 --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s 192.168.8.1 -d 192.168.8.17 --sport 23 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp -s 192.168.8.17 -d 192.168.8.1 --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s 192.168.8.1 -d 192.168.8.17 --sport 80 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -I wanin -p tcp -d 192.168.8.17 --dport 4662 -j ACCEPT
    iptables -I wanin -p tcp -d 192.168.8.17 --dport 3389 -j ACCEPT


    iptables -A wanout -s 192.168.8.17 -d ! (IP of website) -j DROP


    iptables -P FORWARD ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    __________________________

    Now I also have a little problem. This rules work good but I'd like more. I want to make only a few connections possible. If I put my FORWARD policy on DROP then nothing works. I'd like to configure FORWARD chain in a way, that would allow outgoing traffic to only one or two external IP's and only on certain ports (VNC and RDC also with 80 for one website).

    Please help :)
     
  4. mstombs

    mstombs Network Guru Member

    Not sure what your rules supposed to do, but you will have a problem if you are just using local IP addresses to test, local connections will be via the switch acting as a hub, not via the kernel. Input/output tables refer to connections to/from the router itself.

    To restrict to only a few websites you can add rules to ACCEPT each site, followed by a catch-all DROP.
     
  5. HennieM

    HennieM Network Guru Member

    For example, very simplisticly, you can do ALLOW/DROP any which way you want, and still use virtually the same rules. Check what your existing iptables policies are set to (by the firmware), and work with that:

    iptable -P FORWARD ACCEPT
    iptables -A FORWARD -s IP.of.allowed.local.machine -d ip.of.allowed.site -j ACCEPT
    ....more ACCEPT rules
    ....no DROP rules necessary, as last rules drops all that don't ACCEPT
    iptables -A FORWARD -s 0/0 -d 0/0 -j DROP

    OR

    iptables -P FORWARD DROP
    iptables -A FORWARD -s IP.of.allowed.local.machine -d ip.of.allowed.site -j ACCEPT
    ....more ACCEPT rules
    ....no DROP rules necessary, as policy drops all that don't ACCEPT

    OR

    iptable -P FORWARD ACCEPT
    iptables -A FORWARD -s IP.of.disallowed.local.machine -d ip.of.disallowed.site -j DROP
    ....more DROP rules
    ....no ALLOW rules necessary, as policy accepts all that don't DROP

    etc., etc., etc.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice