SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #41  
Old 03-09-2013, 10:49 PM
RMerlin's Avatar
RMerlin RMerlin is online now
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 11,187
Thanks: 58
Thanked 6,274 Times in 2,557 Posts
RMerlin is just starting out
Default

First thing: INPUT and OUTPUT tables are for traffic coming to and from the router. In this case, you want to control traffic that passes through the router. So, the correct table to manipulate is the FORWARD table.

Therefore:

Code:
iptables -I FORWARD -d ad-g.doubleclick.net -j REJECT
is what you want if your goal is to prevent connecting to these servers.

This isn't a very efficient or reliable way to implement ad blocking however. The more rules you add, the highest impact it will have on your network, since every packet must be checked against every rule in the table. This is where ipset will provide a far more efficient method of implementing blacklisting.

Writing a script that would download a blocklist and generate a proper ipset list would be the ideal. Unfortunately, many blocklists seem to ship in a p2p format, and they require you to pay to get these lists in a more compatible format (cidr format, for example)...
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.

Last edited by RMerlin; 03-09-2013 at 10:52 PM.
Reply With Quote
  #42  
Old 03-09-2013, 11:41 PM
AnthonyArmato AnthonyArmato is offline
Very Senior Member
 
Join Date: Apr 2012
Posts: 249
Thanks: 1
Thanked 8 Times in 8 Posts
AnthonyArmato is just starting out
Default

Thanks. That does work.

How would the blocklist need to be written ? If I had a list of domains could I create one myself ?
Reply With Quote
  #43  
Old 03-10-2013, 12:02 AM
RMerlin's Avatar
RMerlin RMerlin is online now
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 11,187
Thanks: 58
Thanked 6,274 Times in 2,557 Posts
RMerlin is just starting out
Default

Quote:
Originally Posted by AnthonyArmato View Post
Thanks. That does work.

How would the blocklist need to be written ? If I had a list of domains could I create one myself ?
IP ranges have to be in a CIDR format to be easily pluggable into an ipset list. For example, to block 192.168.1.1 through 192.168.1.254, it would have to be entered as 192.168.1.0/24.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
  #44  
Old 10-23-2014, 11:38 AM
sammyano sammyano is offline
Senior Member
 
Join Date: Apr 2014
Posts: 111
Thanks: 18
Thanked 2 Times in 1 Post
sammyano is just starting out
Default

Quote:
Originally Posted by RMerlin View Post
If you want to take it one step forward, the following will force all DNS queries to go through your router (which will in turn go through OpenDNS). That way, a misconfigured client will still have Internet access, just that it will be forced to to through your configured DNS.

Code:
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
Repeat the same for TCP if you wish. I haven't tested it myself, this is just based on Tomato code that I looked at a few weeks ago.

Cleaner than just dropping connection to other DNS servers.
Hello RMerlin,
Is the below code supposed to modify the '--to-destination' with Opendns IP or just matter of using as is -
#!/bin/sh
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -I PREROUTING -t nat -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
__________________
RT-AC66U - Merlin build .43
Linksys WRP400 as SIP Adapter
Reply With Quote
  #45  
Old 10-23-2014, 03:05 PM
RMerlin's Avatar
RMerlin RMerlin is online now
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 11,187
Thanks: 58
Thanked 6,274 Times in 2,557 Posts
RMerlin is just starting out
Default

Quote:
Originally Posted by sammyano View Post
Hello RMerlin,
Is the below code supposed to modify the '--to-destination' with Opendns IP or just matter of using as is -
#!/bin/sh
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -I PREROUTING -t nat -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
That code is obsolete now. Use the built-in DNSFilter instead, you will be able to configure everything through the web interface - much simpler.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
The Following User Says Thank You to RMerlin For This Useful Post:
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 03:11 AM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  437
azazel1024  125
john9527  97
L&LD  95
htismaqe  81
ColinTaylor  70
stevech  65
hggomes  64
sfx2000  58
Anzaia  50
RMerlin  6273
john9527  447
stevech  352
ryzhov_al  289
TeHashX  252
L&LD  242
RogerSC  202
sinshiva  146
sfx2000  136
joegreat  127
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  46990
Old RT-AC68 -...  22233
Old RT-AC68P...  7022
Old Moderate Nat...  4676
Old ASUS RT-N66U...  4238
Old iOS 8.1...  3969
Old RT-AC87U -...  2433
Old WiFi...  2422
Old RT-AC68P QOS...  1964
Old AC68U,...  1747
Old Asuswrt-Merli...  215
Old RT-AC68 -...  137
Old Review: 24...  35
Old iOS 8.1...  33
Old RT-AC68P...  33
Old Moderate Nat...  29
Old WiFi...  27
Old RT-AC87U -...  26
Old RT-AC68P QOS...  24
Old How to flash...  24


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.