OpenWrt Forum Archive

Topic: Block HTTP traffic by contents/address/keywords?

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've got a WRT54G v2.2, and have been running DD-WRT on it.
For several reasons I switched to OpenWRT (I may explain on request), and am now trying to replicate the firewall features that I had available before.
One of them is kind of "parental control", by blocking websites based on their address, or keywords.
Is this possible with OpenWRT? Which iptables modules will I need in addition to the ones already preinstalled?
I'm not planning to go into L7 (poor 200MHz box...)

Storage space is not an issue (got an MMC hack running) but of course RAM and CPU are limiting factors.

Any hint is appreciated!

It's not iptables, you need a proxy (Squid) ...

I'm sure it can be done without squid.
(Hey, if DD-WRT can do this, OpenWRT should also be able to do it better, shouldn't it? :-)
I did a bit more investigating, and discovered (in the output of various iptables -vnL commands):

pkts bytes target     prot opt in     out     source               destination
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto rtsp
    0     0 logreject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp WEBSTR match host microsoft.com
    0     0 logreject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp WEBSTR match url adult< >xxx

and so on...
Which modules are responsible for this kind of task, and is there documentation? I already searched netfilter.org but couldn't spot layer7 and webstr...
(and what would be the correct syntax for iptables commands to reproduce the above settings?)

Thanks in anticipation
S

I really dont think that iptables can do what u want. U need a proxy
Let me know if u succeed in doing that with it.

What's DD-WRT, is it like OpenWRt with a web interface and all that stuffs ?

TeKa wrote:

I really dont think that iptables can do what u want.

It can, DD-WRT is living proof.

What's DD-WRT, is it like OpenWRt with a web interface and all that stuffs ?

www.dd-wrt.com

stephen wrote:

0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto rtsp
    0     0 logreject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp WEBSTR match host microsoft.com
    0     0 logreject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp WEBSTR match url adult< >xxx

As Obi-Wan said: Use the source, Luke.
I did.

The settings above are made in src/router/services/firewall.c (svn://svn.dd-wrt.com/DD-WRT), and read

-A advgrp_%d -m layer7 --l7proto %s -j logdrop
-A advgrp_%d -p tcp -m tcp -m webstr --host "%s" -j logreject
-A advgrp_%d -p tcp -m tcp -m webstr --url "%s" -j logreject

and there's something like

-A FORWARD -i %s -o %s -p tcp -m tcp --dport %d -m webstr --content %d -j logreject

as well.
Now the double matching is a bit confusing, and I'm still looking for some decent webstr (and while I'm at it, layer7) documentation.

(Last edited by stephen on 10 Jun 2006, 16:02)

OK, so I went out again, and found layer7 in iptables-mod-filter.ipk.
Searching for ipt_webstr, I didn't succeed, but found https://openwrt.org/browser/tags/HEAD/o … tch?rev=33
which suggests that webstr support has been removed in May 2004 (about two years ago!).
This may (or may not) be related to a change in OpenWRT's general policy; in fact, the webstr match filter was derived from the string match by CyberTAN.

Both string and webstr should nevertheless be GPLed, so at the moment I'm trying to understand
- why webstr was removed (will search discussions)
- what's the basic difference between string and webstr (besides the focusing to web contents, and the introduction of < > as separator (will run diff)
- whether I would be able to make my own iptables-mod-webstr (or iptables-mod-string) package (instructions are there, have to find a decent source for
both string and webstr ipt_*)

If layer7 filtering can be done by a 200MHz MIPS CPU, then webstr matching should be no big deal at all... Suggestions?

Hmmm.... bump?

Hi , i know this is old, but, there's any progress on this feature ?

I'm also interested in this.

Specifically to block downloading of a certain file name. Can this be done in OpenWRT?

To better block content, you need a proxy.  Try tinyproxy if you don't have a lot of space.  Privoxy has more option, but larger footprint.  Dansguardian is the most comprehensive, it you have a lot of memory and disk space.

The discussion might have continued from here.