-m string --string in firewall


I have a TP Link C6U v1 router on which I put this OpenWRT. I want to create a firewall rule for kids to filter and block pages for specific words - e.g. sex, youtube
I want to use string.patch for this, so I also installed the iptables-mod-filter package.

Source zone: Lan
Destination zone wan
Action: drop

  • Source MAC address
    Extra arguments: -m string --string youtube

Unfortunately, it doesn't work. No error message. Does anyone have an idea? I don't want to install a more serious program, I want to solve it with string.patch.

1 Like

The question is why -string.patch does not work in this form:

config rule
	option name 'youtube'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	opticon extra '-m string --string youtube'
	list src_mac'XX:XX:XX:XX:XX:XX'

Doesn't work how?

Most Internet traffic is encrypted these days anyway, so I'm confused on what you think this rule would block.

Are you thinking that the firewall will see the string "youtube" in all traffic and drop it?


Try it in PUTTY
*youtube instead openwrt or anything

iptables -I FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -m string --string youtube --algo bm -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 00:00 --timestop 23:59 -j DROP

Try what?

I'm asking you a question.

The rule doesn't work...how so???

That's what I mean, that's what I want:

Is software offloading turned on?
Offloaded flows will bypass Netfilter rules so yours won't work.

no, is not checked

I just checked the parameters, looks like the required one --algo is missing.
Normally one will use --algo bm for string matching.

Excuse me! That's right, I wrote it to the router, but it lags here. It is also included in the PUTTY command - see above. Unfortunately, it does not work in the Firewall

Аs stated above, it can't work that way. If you insist on using thе iptables string module, the best you can do is to filter the DNS requests of the restricted client based on keywords.

Configure DNS hijacking (just in case).

config redirect
        option name 'DNS-Hijacking'
        option src 'lan'
        option src_dport '53'
        option target 'DNAT'
        option reflection '0'
        option proto 'tcp udp'

Create a filtering rule.

config rule
        option name 'youtube'
        option src 'lan'
        option target 'REJECT'
        option proto 'udp'
        option dest_port '53'
        list src_mac '00:11:22:33:44:55'
        option extra '-m string --string youtube --algo bm'

Restart the firewall service. Don't forget to flush the DNS cache of the machine you use for tests.

1 Like

I'm not sure what Asus has to do with OpenWrt, but my point was that you cannot filter encrypted traffic, because the firewall cannot read it. :bulb:

Attempting to block the DNS requests as @pavelgl suggests may be better.