Is it possible to build a Access-Restriction ruleset based on a whitelist-policy?
I want to allow only a few specific websites for a src-IP.
This white list script functions fine under Tomato classic 1.07 running on a WRT54GL ( without the "insmod ipt_mac" command ).
I have not used it yet on the newer platforms. This newest script version 4 seems to have been updated with a command to support k2.6 builds. I have the hardware to test with the current 50 build, but time is a bit of a squeeze. Let me know if it works for you, and I'll be happy to help test if needed.
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588 # Version 4. Please increment version number with subsequent modifications. GeeTek. # Set up the chain iptables -N wanout iptables -I INPUT -i `nvram get lan_ifname` -j wanout iptables -I FORWARD -i `nvram get lan_ifname` -j wanout # Create whitelist 'function' script WOUT="/tmp/wanout" echo 'iptables -I wanout -j ACCEPT' > $WOUT chmod 777 $WOUT # Exempt Machine MAC # load xt_mac instead of ipt_mac on k2.6 builds insmod ipt_mac $WOUT '-m mac --mac-source 00:30:18:A9:A9:C6' # Exempt Machine IP $WOUT '-s 192.168.1.2' # Allow everyone access to these sites $WOUT '-d www.google.com' $WOUT '-d www.yahoo.com' $WOUT '-d www.dd-wrt.com' # Allow everyone access to these IP Addresses $WOUT '-d 184.108.40.206' $WOUT '-d 220.127.116.11' $WOUT '-d 18.104.22.168' $WOUT '-d 22.214.171.124' #Allow everyone access to specific destination ports $WOUT '-p udp --dport 8000' $WOUT '-p tcp --dport 80' # Everything else gets blocked iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable
I had a chance to test the above script on a Asus RT-N12 running build 50. It was completely non-functional. Nothing was blocked at all.
I loaded one of the older versions of the script and was pleasantly astonished at how perfectly it did work. Below is the script that runs on most older DD-WRT and Tomato releases and is positively phenomenal with this new generation of hardware / firmware.
Save to your firewall script under the administration menu. Reboot for any changes to take effect. Enjoy !
( Beware, TomatoUSB website looks naked without the colorful Google Ads ! )
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588 # Set up the chain iptables -N wanout iptables -I FORWARD -i `nvram get lan_ifname` -j wanout # Exempt Machine MAC iptables -I wanout -m mac --mac-source 00:30:18:A9:A9:C6 -j ACCEPT # Exempt Machine IP iptables -I wanout -s 192.168.1.2 -j ACCEPT # Allow everyone access to these sites iptables -I wanout -d www.google.com -j ACCEPT iptables -I wanout -d www.yahoo.com -j ACCEPT iptables -I wanout -d tomatousb.org -j ACCEPT # Allow everyone access to these IP Addresses iptables -I wanout -d 126.96.36.199 -j ACCEPT iptables -I wanout -d 188.8.131.52 -j ACCEPT iptables -I wanout -d 184.108.40.206 -j ACCEPT iptables -I wanout -d 220.127.116.11 -j ACCEPT #Allow everyone access to specific destination ports iptables -A wanout -i `nvram get lan_ifname` -p udp --dport 8000 -j ACCEPT # Everything else gets blocked iptables -A wanout -i `nvram get lan_ifname` -j REJECT --reject-with icmp-proto-unreachable
Ah yes thanks for the script, indeed I know that it is possible with a iptables-script … :-)
My questions was, is it possible to build a (tomato) Access-Restriction ruleset (in the web-interface)?
Normally every Access-Restriction block the specified traffic, I thought maybe there is a hidden switch to change the default policy (from black- to whitelist).
The script works good, but WEB MONITOR doesn't work now! How to repair it?