1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rule to limit web access to only a given site?

Discussion in 'Tomato Firmware' started by vexingv, May 28, 2008.

  1. vexingv

    vexingv LI Guru Member

    I've been trying to figure out how I can limit all web/http access to one site (let's say nytimes.com for example) on a given machine/MAC. The access restriction rules only deny access, but doesn't allow for the creation of a "white list." Is there some way I might be able to do this?

    Thanks.
     
  2. nvtweak

    nvtweak LI Guru Member

    looks like a job for iptables..

    iptables -I FORWARD -s 192.168.1.0/24 -d ! nytimes.com -j DROP
     
  3. ales85

    ales85 Network Guru Member

    Hey!

    I have a question almost exact to upper one. How do I allow access to 2 sites for example? I tryied using two rules like those just different sites but then nothing is getting through. Also maybe someone could look at my rules and give me some tips:
    ______________________________
    iptables -F

    iptables -A FORWARD -j wanin
    iptables -A FORWARD -j wanout
    iptables -A FORWARD -j upnp

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -p tcp -s 192.168.8.17 -d 192.168.8.1 --sport 513:65535 --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s 192.168.8.1 -d 192.168.8.17 --sport 23 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp -s 192.168.8.17 -d 192.168.8.1 --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s 192.168.8.1 -d 192.168.8.17 --sport 80 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -I wanin -p tcp -d 192.168.8.17 --dport 4662 -j ACCEPT
    iptables -I wanin -p tcp -d 192.168.8.17 --dport 3389 -j ACCEPT


    iptables -A wanout -s 192.168.8.17 -d ! (IP of website) -j DROP


    iptables -P FORWARD ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    __________________________

    Now I also have a little problem. This rules work good but I'd like more. I want to make only a few connections possible. If I put my FORWARD policy on DROP then nothing works. I'd like to configure FORWARD chain in a way, that would allow outgoing traffic to only one or two external IP's and only on certain ports (VNC and RDC also with 80 for one website).

    Please help :)
     
  4. mstombs

    mstombs Network Guru Member

    Not sure what your rules supposed to do, but you will have a problem if you are just using local IP addresses to test, local connections will be via the switch acting as a hub, not via the kernel. Input/output tables refer to connections to/from the router itself.

    To restrict to only a few websites you can add rules to ACCEPT each site, followed by a catch-all DROP.
     
  5. HennieM

    HennieM Network Guru Member

    For example, very simplisticly, you can do ALLOW/DROP any which way you want, and still use virtually the same rules. Check what your existing iptables policies are set to (by the firmware), and work with that:

    iptable -P FORWARD ACCEPT
    iptables -A FORWARD -s IP.of.allowed.local.machine -d ip.of.allowed.site -j ACCEPT
    ....more ACCEPT rules
    ....no DROP rules necessary, as last rules drops all that don't ACCEPT
    iptables -A FORWARD -s 0/0 -d 0/0 -j DROP

    OR

    iptables -P FORWARD DROP
    iptables -A FORWARD -s IP.of.allowed.local.machine -d ip.of.allowed.site -j ACCEPT
    ....more ACCEPT rules
    ....no DROP rules necessary, as policy drops all that don't ACCEPT

    OR

    iptable -P FORWARD ACCEPT
    iptables -A FORWARD -s IP.of.disallowed.local.machine -d ip.of.disallowed.site -j DROP
    ....more DROP rules
    ....no ALLOW rules necessary, as policy accepts all that don't DROP

    etc., etc., etc.
     

Share This Page