Blocking URLs/IPs

From DD-WRT Wiki

Jump to: navigation, search

Contents


[edit] Block URLs with an Automatically Downloaded Host File

I have kept the original script, which is below this one. This one is much shorter, but does even more checking than the other one. It tries to download the file at least 5 times after startup An even better solution is offered in my set of optware scripts where it will also run pixelserv on the router. I didn't like the cronjob approach because the list is quite static.

frater

_rogue=127.0.0.1
echo -e "n=1\nwhile ! wget -q -O /tmp/hsts http://www.mvps.org/winhelp2002/hosts.txt ; do\n\t[ \$n -gt 5 ] && break\n\tlet n+=1\n\tsleep 60\ndone\ngrep \"^127.0.0.1\" /tmp/hsts | grep \"^127.0.0.1\" | grep -v localhost | awk '{print \"$_rogue\\\t\"\$2}' | tr -d '\\\015' >/tmp/dlhosts\nrm /tmp/hsts\nkillall -HUP dnsmasq" >/tmp/wh
sh /tmp/wh &

Braian87b - Edit Note : 2013-02-03 The URL actually redirects to: http://winhelp2002.mvps.org/hosts.txt you could use it instead. You see the "/tmp/dlhosts" filepath? well you need to add that as "addn-hosts=/tmp/dlhosts" (without quotes) to "Additional DNSMasq Options" textbox and enable the three "DNSMasq", "Local DNS", "No DNS Rebind" checkboxes. Or you can add this line (it will add the addn-hosts setting to dnsmasq.conf file)

grep addn-hosts /tmp/dnsmasq.conf || echo "addn-hosts=/tmp/hosts0" >> /tmp/dnsmasq.conf

IMHO the following script is deprecated, but I left it for comparison.

This was originally taken from mraneri from the Linksys forum, but was heavily modified.

#!/bin/sh

logger WAN up script executing
sleep 5
if test ! -s /tmp/dlhosts
then
	cat >/tmp/dlhosts <<"EOF"
#!/bin/sh
logger Downloading http://www.mvps.org/winhelp2002/hosts.txt
wget -O - http://www.mvps.org/winhelp2002/hosts.txt |
	grep 127.0.0.1 |
	sed '2,$s/127.0.0.1/0.0.0.0/g; s/[[:space:]]*#.*$//g;' |
	grep -v localhost |
	tr ' ' '\t' |
	tr -s '\t' |
        tr -d '\015' |
	sort -u >/tmp/hosts0
grep addn-hosts /tmp/dnsmasq.conf ||
	echo " " >>/tmp/dnsmasq.conf
grep addn-hosts /tmp/dnsmasq.conf ||
	echo "addn-hosts=/tmp/hosts0" >>/tmp/dnsmasq.conf
logger Restarting dnsmasq
killall -HUP dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
EOF
	chmod 777 /tmp/dlhosts
	/tmp/dlhosts
fi
grep -q '/tmp/dlhosts' /tmp/crontab || 
	echo "45 23 * * 5 root /tmp/dlhosts" >>/tmp/crontab

This script automatically downloads a host file from: "http://www.mvps.org/winhelp2002/hosts.txt" and redirects all the URLs in that file to 127.0.0.1. All those URLs are common malware or advertisement sites so is better to block them. You can also download the file, modify it with new URLs that you want to block or delete the ones you don't want to block and then upload to a web site and change the URL in the code to your custom one. Be aware that the more URLs in the file the more RAM that you will be eating from your router. Check the file size and your free memory to see if it will suit you. If not just erase some URLs... If you want to block all URLs since the router boots then just placed in the startup scripts.

--Brueggmann 10.17.2010 - I've modified the "killall" line as sending a HUP didn't reread the configuration file for me. Please see the dnsmasq man page.

Update by Aviad (A.K.A. Hotfortech): While the above works just fine, there are two main disadvantages of the above method:

1. The blocked content will be shown as "page cannot be displayed" within the websites advertisement segments and will cause the page to not load until the browser gives up on the missing object.

2. If you want to add sites to the block list, you have to do it on a per host bases... (tedious)

Enter shameless self promotion -> I have created a script on my wiki that deals with the above and more by using the pixelserv method described in the forum. you can find the script and a detailed explanation on how it works on my wiki: http://hotfortech.wikispaces.com/How+to+remove+advertisements+with+pixelserv+on+DD-WRT

Hope this helps anyone.

BobLfoot - Edit Note : 2011-01-14 added line "dnsmasq --conf-file=/tmp/dnsmasq.conf" to the script as it was stopping dnsmasq, but not restarting it. Also found that adding " grep addn-hosts /tmp/dnsmasq.conf || echo " " >>/tmp/dnsmasq.conf made sure that the dnsmasq.conf addition went on a new line. Script might be made leaner through \n usage but that is untested.

Braian87b - Edit Note : 2013-02-03 In addition you can add this firewall script to Intercept all DNS requests to dnsmasq even if someone in network has manual added their own DNS addresses in their Device (PC, Laptop, Smart Phone, etc...).

# Intercept & Force all br0 DNS Requests to Router's DNS 
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

[edit] Global Blacklisting per MAC

If you have a lot of DD-WRT routers, then denying of access for abusing users through the web interface of each router can be time consuming.

Here is a small firewall script to automatically download MAC-addresses of computers that should be denied access. The format of the file is Unix textfile one MAC address per line. The script assumes that you have a jffs partition. You can run it at startup by saving it as /jffs/etc/config/wifi_bl.wanup

#!/bin/sh
cd /jffs
rm wifi_blacklist.txt
#Please modify the script to download the blacklist file from your web server
wget http://www.myserver.com/wifi_blacklist.txt
module_exists=`lsmod | grep ipt_mac`
if [ -z "$module_exists" ] ; then
    insmod ipt_mac
fi
#Deleting the old table
old_mac=`iptables -L | egrep "..:..:..:..:..:.."  | sed "s/.*\(..:..:..:..:..:..\).*/\1/"`
for mac in $old_mac ; do
    iptables -D FORWARD -p tcp -m mac --mac-source $mac -j REJECT --reject-with tcp-reset
done
#Adding the table again
for mac in `cat /jffs/wifi_blacklist.txt` ; do
    iptables -I FORWARD -p tcp -m mac --mac-source $mac -j REJECT --reject-with tcp-reset
done

[edit] White Listing

If you want to create a white list to block access by default but allow certain traffic through, then you can use this script to do it. Remove any junk comment lines beginning with # to save nvram space. Discuss here.

# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
# This Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
# Version 5. Please increment version number with subsequent modifications. GeeTek.

# Set up the chain
iptables -N wanout
iptables -I INPUT -i `nvram get lan_ifname` -j wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Create whitelist 'function' script
WOUT="/tmp/wanout"
echo 'iptables -I wanout  -j ACCEPT' > $WOUT
chmod 777 $WOUT

# Exempt Machine MAC
# load xt_mac instead of ipt_mac on k2.6 builds
insmod ipt_mac
$WOUT '-m mac --mac-source 00:30:18:A9:A9:C6'

# Exempt Machine IP
$WOUT '-s 192.168.1.2'

# Allow everyone access to these sites  (DNS lookup only happens once when rule is inserted and stays that single IP)
$WOUT '-d www.google.com'
$WOUT '-d www.yahoo.com'
$WOUT '-d www.dd-wrt.com'

# Allow everyone access to these IP addresses/netmask
$WOUT '-d 74.125.67.100'
$WOUT '-d 74.125.127.100'
$WOUT '-d 74.125.45.100/24'
$WOUT '-d 209.131.36.158/29'

#Allow everyone access to specific destination ports
$WOUT '-p udp --dport 8000'

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
# Version 1.1 for older chipsets and/or experimental firmware builds. Please freeze this version. GeeTek.
# URL for this Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing

# Set up the chain 
iptables -N wanout 
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout 

# Exempt Machine MAC
iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT

# Exempt Machine IP
iptables -I wanout -s 192.168.1.2 -j ACCEPT

# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
iptables -I wanout -d www.google.com -j ACCEPT 
iptables -I wanout -d www.yahoo.com -j ACCEPT
iptables -I wanout -d www.dd-wrt.com -j ACCEPT

# Allow everyone access to these IP Addresses 
iptables -I wanout -d 74.125.45.100 -j ACCEPT
iptables -I wanout -d 8.8.8.8 -j ACCEPT

# Allow everyone access to these IP Address ranges
iptables -A wanout -m iprange --dst-range 4.1.2.3-4.5.6.7 -j ACCEPT

# Allow everyone access to these Subnets
iptables -A wanout -d 7.0.0.0/8 -j ACCEPT 

#Allow everyone access to specific destination ports
iptables -A wanout -i `nvram get lan_ifname` -p udp --dport 24500 -j ACCEPT

# Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable
#modified script to work from (at least) build 21286. and decreasing required nvram space. (by jackykoning)
#IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
#This Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
#Version 6. Please increment version number with subsequent modifications. GeeTek.

#Set up the chain
iptables -N wanout
iptables -I INPUT -i `nvram get lan_ifname` -j wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

#Create whitelist 'function' script
WOUT='iptables -I wanout  -j ACCEPT'
MAC='-m mac --mac-source'

# Exempt Machine MAC
$WOUT $MAC 00:30:18:A9:A9:C6

#Exempt Machine IP
$WOUT -s 192.168.1.2

#Allow everyone access to these sites  (DNS lookup only happens once when rule is inserted and stays that single IP)
$WOUT -d www.google.com
$WOUT -d www.yahoo.com
$WOUT -d www.dd-wrt.com

#Allow everyone access to these IP addresses/netmask
$WOUT -d 74.125.67.100
$WOUT -d 74.125.127.100
$WOUT -d 74.125.45.100/24
$WOUT -d 209.131.36.158/29

#Allow everyone access to specific destination ports
$WOUT -p udp --dport 8000

#Everything else gets blocked
iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable
http://www.dd-wrt.com/wiki/index.php/Ad_blocking