Hello, I'm doing a personal project to learn more about openwrt. I have installed openwrt in a raspberry that i have conected to my domestic router for and i'm trying to block domains of diferents webs with iptables. I would like to block these domanis to not be able to acces them from any computer of my choice that is conected to the raspberry. also I would like to block the domains for the raspberry. Is it possible, because i have been trying and looks like the rules of iptable are not beeing applied.
This is the rule that i have been trying: iptables -A OUTPUT -p tcp -d www.domaintoblock.com -j DROP
I tried with INOUT and FORWARD aswell unsuccessfully. Its possbile to do the same(block a domain) but just for a device with ip 192.168.1.54 (for exemple).
I don't know if its because i'm applying the rules to another interfaces or something else but i can't fix it.
Maybe is not a good explanation but I'm new in this word and its difficult to explain.
One should never put a canonical dns name in an iptables rule. It means a dns lookup is needed for every packet. You need the ip address in the rule. If the dns name resolves to multiple different IPs, for example, like Netflix would do, then you would use a different solution (dnsmasq + ipsets + iptables match rule for ipsets), which is a little too complex for you to master at this point in time if you're just starting out with iptables.
The OUTPUT rule only works for a process launching a network connection from the firewall itself. For something routing THROUGH the firewall, use the FORWARD chain.
It is possible to block only for a specific IP. You would specific the source address in the rule as well.
None of this is openwrt-specific, so there are lots of iptables resources on the net with examples that you can consult.
It would be simpler to install Adblock and add the domains to the blacklist.
There's also a method to directly load the domain responses into an ipset for blocking, but I'm not deeply familiar with that - there should be some threads on it.
Since a domain can have multiple A and AAAA records, it's not really feasible to make rules like that - even if such rules worked.
I don't want to use any external software like adBock. I'm trying to control this blocks from my own website where the user can chose the ip and domains to block. I'm conecting by ssh and doing all with scripts.
Thanks anyway for your reply!