Block all internet, but whitelist video streaming services?


#1

I know I'm about to throw out a difficult idea here, but its difficulty has only made me that much more determined to conquer it. I'd like to kill access to my kiddo's game services during school nights, but allow or whitelist streaming services like Netflix, Amazon Video, Sling, etc.

Basically, they complain that they can't watch TV to fall asleep, yet have zero self-control when it comes to killing their games at night leading to missed buses in the mornings. I've given them the "your screwed for internet at night" line for months now. But honestly, having been an Engineer in IT for 14 years now, I feel like with a little work this may be an achievable mission.

I've seen that you can whitelist IP's using iptables, but these streaming services use DNS hosts with multiple IP's that change often. I even thought about blocking all ports but 80/443 since streaming services use those, but it appears those ports are used by most PS4 game servers as well.

So I think I need a way to block all internet, except for whitelisted DNS names. I am open to suggestions here though, as I bet there is more than one way to skin this cat.

Let me know your thoughts, thanks!


#2

I think you have figured out pretty much everything yourself... All I can add is that you could block sites on the DNS level.


#3

As a fellow father I feel your concerns.
The easiest solution is to apply a scheduled deny in iptables for their devices on evenings before weekdays.
If they also use some family devices (e.g PS4 in the living room) and you cannot be present all the time to be the physical firewall, then you'd need to block certain sites that they visit.
For automated add/removal of IPs in iptables, you could use ipset. For example make a scheduled deny rule to an ipset, which will be updated from parsing the addresses from the name server results.
Other than that consider an adblock service, where you will blacklist the domains that your kids spend their time, and you can have a cronjob to turn it on-off.
Hope it helps.


#4

"life is hard" welcome :slight_smile:

if you really want control over the content you'd have to moderate/curate it, maybe use a local mediaserver as the only available source.


#5

If you're going this way, there's already an option in adblock for such restrictive "whitelist only" mode:

adblock_jail


Block all website url except some whitelisted
#6

As a parent myself, I think would try a more "resposible" approach to the issue: do not block any type of content, and let them stay up as long as they want, but let them feel all the weight of the consequences of their behaviour (one full week with no internet at all for each missed bus, for example).

Just my two cents!


#9

Awesome, thanks dibdot I'll take a look at adblock. Hopefully there is a way to whitelist IP ranges, I took a look at the connections my Fire TV made while using Sling last night, and saw that they are pretty huge subnets:
8.253.134.93:80
8.253.134.93:80
8.253.134.93:80
8.252.80.248:80
8.252.80.248:80
8.252.80.248:80
8.249.97.243:80
8.249.97.243:80
8.249.97.243:80


#10

Unfortunately, those options have all been tried over the years and never completely remove the problem :wink:

Regardless of the consequences, they tend to always forget or get stuck in their gaming world until late hours of the night. After groundings etc, it tends to clean up for a while, then ultimately pop back in after a few weeks.

As of today, completely removing internet at bedtime has been the only option for these teens.


#11

no, adblock works on DNS level - just whitelist (sub-)domains you want to use.


#12

responsible decision :+1:


#13

I feel your pain!


#14

Don't you think this would be the best option anyways?
Curating DNS whitelists isn't really going to work (every non-trivial website loads external ressources from dozens of domains), even if you'd make it your day job.


#15

Is anyone aware of a method that I can either block, or whitelist large subnets of IP's on OpenWRT? It looks like I can't filter against simple DNS records.


#16

Turn off port 80 and 443 outbound from your network, make devices set a proxy, then use squid as your proxy and use squid ACLs for policy they can work based on domain name rather than IP even over ssl, provided you set explicit proxy not transparent


#17

Does the squid add-on for OpenWRT offer all the functionality I'd need for this? Or will I need to spin up a full blown copy on my local network?


#18

As far as I know the squid package on OpenWrt is full featured, you should read the example configs and squid docs and write up your own custom config.


#19

You can use "ipsets" if you need to define firewall rules with large sets of addresses.


#20

And you can have dnsmasq fill out the ipset as it looks up DNS entries, however it will block all sites on a given IP, which can be problematic when it's Akamai or cloudflare or whoever and they host multiple sites on their machine.


#21

Just curious, how did you come to that conclusion?
For blocking via ipsets, check this one