-m string --string in firewall

bpmcwap · January 7, 2022, 8:36am

Hi

I have a TP Link C6U v1 router on which I put this OpenWRT. I want to create a firewall rule for kids to filter and block pages for specific words - e.g. sex, youtube
I want to use string.patch for this, so I also installed the iptables-mod-filter package.

Source zone: Lan
Destination zone wan
Action: drop

Source MAC address
Extra arguments: -m string --string youtube

Unfortunately, it doesn't work. No error message. Does anyone have an idea? I don't want to install a more serious program, I want to solve it with string.patch.
Thanks

vgaetera · January 7, 2022, 10:04am

bpmcwap · January 7, 2022, 1:19pm

The question is why -string.patch does not work in this form:

config rule
	option name 'youtube'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	opticon extra '-m string --string youtube'
	list src_mac'XX:XX:XX:XX:XX:XX'

lleachii · January 7, 2022, 3:04pm

Doesn't work how?

Most Internet traffic is encrypted these days anyway, so I'm confused on what you think this rule would block.

Are you thinking that the firewall will see the string "youtube" in all traffic and drop it?

bpmcwap · January 7, 2022, 3:30pm

Yes
Try it in PUTTY
*youtube instead openwrt or anything

iptables -I FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -m string --string youtube --algo bm -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 00:00 --timestop 23:59 -j DROP

lleachii · January 7, 2022, 3:32pm

Try what?

I'm asking you a question.

The rule doesn't work...how so???

bpmcwap · January 8, 2022, 3:52pm

That's what I mean, that's what I want:
https://demoui.asus.com/EN/Advanced_URLFilter_Content.asp

LGA1150 · January 8, 2022, 3:56pm

Is software offloading turned on?
Offloaded flows will bypass Netfilter rules so yours won't work.

bpmcwap · January 8, 2022, 4:14pm

no, is not checked

LGA1150 · January 8, 2022, 4:16pm

I just checked the parameters, looks like the required one --algo is missing.
Normally one will use --algo bm for string matching.

bpmcwap · January 8, 2022, 5:02pm

Excuse me! That's right, I wrote it to the router, but it lags here. It is also included in the PUTTY command - see above. Unfortunately, it does not work in the Firewall

pavelgl · January 8, 2022, 5:39pm

Аs stated above, it can't work that way. If you insist on using thе iptables string module, the best you can do is to filter the DNS requests of the restricted client based on keywords.

Configure DNS hijacking (just in case).

config redirect
        option name 'DNS-Hijacking'
        option src 'lan'
        option src_dport '53'
        option target 'DNAT'
        option reflection '0'
        option proto 'tcp udp'

Create a filtering rule.

config rule
        option name 'youtube'
        option src 'lan'
        option target 'REJECT'
        option proto 'udp'
        option dest_port '53'
        list src_mac '00:11:22:33:44:55'
        option extra '-m string --string youtube --algo bm'

Restart the firewall service. Don't forget to flush the DNS cache of the machine you use for tests.

lleachii · January 9, 2022, 12:35am

I'm not sure what Asus has to do with OpenWrt, but my point was that you cannot filter encrypted traffic, because the firewall cannot read it.

Attempting to block the DNS requests as @pavelgl suggests may be better.