Access Restriction with Whitelist Script

mahendra_89 · Jan 5, 2018

Hello,

I have installed tomato firmware on Linksys E900 route. we have team of 50 users. I am trying to put in place below access restriction policy:-
1. White List (access to only sites which added in white list)
2. Block List (Always blocked)
3. Full internet access for selected users
I searched for some scripts which can allow me to perform the above access restriction but it is not working.

Below is the scrip i used

# Allow these hosts unrestricted access
iptables -A wanout -i `nvram get lan_ifname` -m mac --mac-source <allowed MAC #1> -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -m mac --mac-source <allowed MAC #2> -j ACCEPT

# Allow everyone access to these sites
iptables -A wanout -i `nvram get lan_ifname` -d www.yahoo.com -j ACCEPT
iptables -A wanout -i `nvram get lan_ifname` -d www.gmail.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -j DROP

Any help would be appreciated.

Thanks
Mahendra Shivsharan

anotherdrew · Jan 5, 2018

Since you were searching for scripts, I have to assume you knowledge of iptables commands is limit (no worries, mine is super rusty ... been like 15 years).

Your script is using a custom chain "wanout" ... You never define it.

# Set up the chain
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Exempt Machine MAC
iptables -I wanout -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

# Allow everyone access to these sites
iptables -A wanout -d www.google.com -j ACCEPT

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -j DROP

iptables -A wanout -j RETURN

mahendra_89 · Jan 9, 2018

anotherdrew :

Hello anotherdrew,

Thanks for your reply,

i have tried using the script you provide but there is no luck the sites are not loading. but when i remove the script or the line "iptables -A wanout -i `nvram get lan_ifname` -j DROP" the website gets loaded but there is no restriction.

Do you have any idea regarding this?

Thanks

anotherdrew · Jan 9, 2018

mahendra_89 :

Yes ... I messed up. I appended the rules to the FORWARD chain and they should be appended to the OUTPUT chain. Sorry about that. Been a while since I have done iptables stuff.

BTW .. unless you have some other network security hardware installed, the rules you put in place are what keeps your network secure. Please, please, please read up on iptables and make sure your default rules are to deny everything (at a minimum).

The following commands will show you all your rules ...

iptables -vL -t filter
iptables -vL -t nat
iptables -vL -t mangle
iptables -vL -t raw
iptables -vL -t security

mahendra_89 · Feb 12, 2018

anotherdrew :

Hello,
i have tried many thing but its not working for me. so i am trying to block/ restrict websites through UI in router but i am able to block only http websites , https sites are still able to access. how can we block https websites?

Thanks in advance.

Search

Access Restriction with Whitelist Script

mahendra_89

Prominent

anotherdrew

Admirable

mahendra_89

Prominent

anotherdrew

Admirable

mahendra_89

Prominent

TRENDING THREADS

Latest posts

Moderators online

Share this page