Raw doesn't use -o, BTW.
I think you should try tagging the packet upon receipt, not upon exit from WAN.
Also see https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
INPUT or FORWARD - in other words, they don't mangle the packet@anon50098793 I did try using FORWARD -i eth0.2, but the same result. @lleachii I haven't tried PREROUTING yet. @vgaetera I do have package: iptables-mod-filter installed. I'll try more experimentation when I get home. Seems odd as if it doesn't see the module as loading or am I misreading this?
Still no luck. it keeps complaining about the string match.
http://ipset.netfilter.org/iptables-extensions.man.html
string
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
--algo {bm|kmp}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last one that is scanned. If not passed, default is the packet size.
[!] --string pattern
Matches the given pattern.
[!] --hex-string pattern
Matches the given pattern in hex notation.
--icase
Ignore case when searching.
Examples:
# The string pattern can be used for simple text characters.
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG
# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|'
iptables -A FORWARD -i eth0.2 -p udp -m string --algo bm --icase --string 'vultr' --from 1 --to 600 -j DSCP --set-dscp-class CS4
Same problem here. Any solution?
Nothing from my end.
I found the solution you need to install both
iptables-mod-filter AND kmod-ipt-filter
I had only one of them installed
Hi everyone, for some reason it doesn't work for me.
What I have done
opkg update
opkg install kmod-ipt-filter iptables-mod-filter
/usr/sbin/iptables -A FORWARD -m string --algo bm --string "facebook.com" -j DROP
/usr/sbin/iptables -A FORWARD -m string --algo bm --string "youtube.com" -j DROP
and I still able to watch youtube & facebook.
Any advice?
I see the rule in iptables
root@OpenWrt:~# iptables --list-rules | grep facebook
-A FORWARD -m string --string "facebook.com" --algo bm --to 65535 -j DROP
root@OpenWrt:~#
I'm on OpenWrt 18.06.1, r7258-5eb055306f
and the order of the rules?
root@OpenWrt:~# iptables --list-rules | grep facebook
-A FORWARD -m string --string "facebook.com" --algo bm --to 65535 -j DROP
root@OpenWrt:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A FORWARD -m string --string "facebook.com" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "youtube.com" --algo bm --to 65535 -j DROP
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m mac --mac-source FF:FF:FF:FF:FF:FF -m comment --comment "!fw3: Rule-Name" -j zone_wan_dest_ACCEPT
...bunch of rules which have accept or deny
-A zone_lan_forward -m mac --mac-source FF:FF:FF:FF:FF:FF -m comment --comment "!fw3: Rule-Name" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 49273 -m comment --comment "!fw3: @rule[9]" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
root@OpenWrt:~#
So... FORWARD in br-lan jumps to zonelanforward... ( ditto for the other direction zonewanforward respectively )
you've truncated your rules but i'm guessing there is no RETURN in that chain
your added rules are never reached
I have added a rule to block everything and also added rules which let valid users to use internet.
This the examples of rules I have added at the end of my /etc/config/firewall
config rule
option name 'RuleName'
option src 'lan'
option dest 'wan'
option proto 'all'
option target 'ACCEPT'
option src_mac 'MAC-Addresses-list'
config rule
option name 'RuleName'
option src 'lan'
option dest 'wan'
option proto 'all'
option target 'REJECT'
option extra '-m time --kerneltz --weekdays Sun,Mon,Tue,Wed,Thu,Fri,Sat --timestart 14:00 --timestop 23:59'
option enabled '1'
I'm programmer have no knowledge abut those rules. I'm gonna go RTFM about iptables probably the 4rth time. If you can recommend something you think the best it would be really appreciated.
On consumer grade router hardware, a rule like this would cripple your router... what hardware are you attempting this on?
TPLink WDR 3600/4300
You want something like;
iptables -I zone_lan_forward -s 192.168.1.0/29 ...
I have tried adding 3 ways nothing worked. What do I do wrong?
iptables -I zone_lan_forward -s 192.168.0.0/24 -m string --algo bm --string "facebook.com" -j DROP
iptables -I zone_lan_forward -m string --algo bm --string "facebook.com" -j DROP
iptables -I INPUT -m string --algo bm --string "facebook.com" -j DROP
i am using dnsmasq to block sites and it is working fine for me. for youtube you can add an entry as "address=/youtube.com/127.0.0.1" and it blocks sub-domains also for youtube.com
Hi @nbuser,
Can you share the configurations of dnsmasq, and also does dnsmasq block sites in Bridge mode ?
Thanks,
Thank you.