Hello forum,

I have installed a SmartTV in my network and now I need to take control over what the device is sending/receiving over the Internet via HBBTV. (I am not using any apps in my TV so far). I have assigned a static IP to my TV

I found a comprehensive list of URLs of HBBTV providers (http://urju.de/hbbtv/) but I would like to grant access only for a selection of them.

My concept:

For the TV (identified by static IP or MAC address) I would like to block all traffic in and out except to and from some selected URLs ("whitelist")

example URLs to be allowed:

http://web.ard.de/
http://hbbtv.ardmediathek.de/
http://arte.vo.llnwd.net/
http://cehtml.arte.tv/
[...]

I am not experienced with iptables and firewall settings and from some readings here and on other places this seems to be a quite complex system with rules and tables.

But maybe someone could point me to the right direction and give me a short example what I need to do in my OpenWRT router to achieve my task.

Thank you in advance and best regards

Ruuter

Model: TP-Link TL-WDR4300 v1
Firmware Version: OpenWrt Chaos Calmer 15.05.1 / LuCI 15.05-149-g0d8bbd2 Release (git-15.363.78009-956be55)
Kernel Version: 3.18.23

If you are planning to block websites, I would consider a (reverse) proxy instead of playing with iptables.

1)
You could use the "adblock" package that selectively blocks DNS queries by defining the blocked sites as localhost (or the new versions as NXDOMAIN).

Note that it blocks then the whole domain, not an URL. So, instead of "http://www.autozine.de/nettv/" it would block the whole "www.autozine.de". So, you should avoid blocking domains to which have legitimate traffic.

You could configure it so that no actual ad blocklists are downloaded, but you just define a personal blacklist.

Adblock has been backported to 15.05 branch but after the 15.05.1 release, so there is no 15.05.1 binary .ipk for it.
You need to either compile it, or test installing the trunk version of the package. It is only scripts, so there is no binary incompatibility, but still some dependency packages may work differently or so.

Link to 15.05 readme for adblock 1.5.1: https://github.com/openwrt/packages/blo … /README.md
trunk readme for adblock 2.6.0: https://github.com/openwrt/packages/blo … /README.md

2)
If you only have a few dozen blocked sites and the list does not change, you might even skip installing adblock and just add a list of those to domains to dnsmasq configuration (the DNS server in Openwrt).

The current adblock 2.6.0 simply places the blocked sites into /tmp/dnsmasq.d in a file like

root@LEDE:~# head /tmp/dnsmasq.d/adb_list.reg_pl
local=/banner.0catch.com/
local=/adspdbl.com/
local=/cdn.alleliteads.com/
local=/cetrk.com/
local=/getclicky.com/

/tmp is not permanent, so the list will automatically disappear at the next boot. I haven't looked closer into dnsmasq options to see where it could be placed in a permanent way. But that should doable.

Hello and thank you for your replies,

I after some searches, I consider of using a new iptables chain in custom rules.

This is my draft:

# new chain
iptables -N smarttvrules

# allow outgoing trafic from SmartTV (static IP 192.168.1.117) only to wanted IP addresses
iptables -A smarttvrules -s 192.168.1.117 -d 184.28.188.11 -j ACCEPT # to hbbtv.ardmediathek.de
iptables -A smarttvrules -s 192.168.1.117 -d 212.95.74.37 -j ACCEPT # to cehtml.arte.tv
...[list of ~ 20 IPs]...

# all other packages from SmartTV will be dropped
iptables -A smarttvrules -s 192.168.1.117 -j DROP

Will this work if I put these lines into "Firewall - Custom rules" (LuCI)?
Or what else will I need?

Will this effect any traffic of other clients in the network?
What about unwanted incoming traffic to SmartTV (eg. redirection from wanted sites to unwanted sites)? How can I block this?

(Last edited by ruuter on 15 Apr 2017, 09:18)

With helpful support of the maintainer of http://weidner.in-bad-schmiedeberg.de/a … -firewall/  I finally got a big steps further :-)

First of all: I did not manage to transfer my iptables commands from LuCI via "Network - Firewall - Custom Rules" (I submitted my commands and restarted the firewall in 'Status - Firewall - Restart Firewall, but nothing changed), so I logged into my router via SSH and executed just for TESTING(!) those commands there:

# creating my new chain ’smarttvrules’
iptables -N smarttvrules

# block outgoing traffic  to listed IP addresses
iptables -A smarttvrules -d 212.95.74.37 -j DROP # to cehtml.arte.tv

# appending a roule in existing chain 'forwarding_lan_roule’ to jump to my new chain 'smarttvrules’ which applies only for local IP 192.168.1.117 (my SmartTV)
iptables -A forwarding_lan_rule -s 192.168.1.117 -j smarttvrules

When I then check the firewall in LuCI, I can see

• in Chain forwarding_lan_rule  there is a new target 'smarttvrules'

• There is a new Chain smarttvrules (References: 1) with a DROP for destination 212.95.74.37

Result: I can receive HBBTV content in all channels, except ARTE, which has the blocked destination.

This is just a prove of concept for me, as I found out now, how to handle chains and rules.

Next step will be a comprehensive traffic analysis, as I would prefer to build up a White List with all "allowed" destination (and change DROP to ALLOW then ;-).

I will come back with the full result then.