Firewall Restriction to Blocking URL or Domains

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
iamlost
Posts: 13
Joined: Mon Mar 20, 2017 5:39 pm
Location: Australia

Firewall Restriction to Blocking URL or Domains

Post by iamlost »

How do I use Firewall Restrictions to stop DNS queries (DNSMASQ) to specific domain/url, what am I missing?

Please fwd me to the correct forum article if there is a different way to achieve.

Trying to use the firewall restrictions to limit the access to YouTube. Currently I only have my DNS provider being able to block Youtube access and this blocks YouTube for the whole network not just the rouge users. I would like to add a time limit to the rouge users,so they can access YouTube during lunch.

I reviewed the following forum article viewtopic.php?t=7349 and I have not found the configurations to limit time or the originating request in Privoxy


Troubleshooting

Turn on restrictions, rouge users are still able to access YouTube
Turn on DNS, not users have access to YouTube
Active system log in Gargoyle
Edit “/etc/config/dhcp” and add the following line: option logqueries '1' (This will show the dnsmasq queries in the system log)

Try connecting from device on the restriction (192.168.10.99) The first 5 entries is a google enrty with a successful reply from the DNS Provider

Code: Select all

Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 query[A] clients1.google.com from 192.168.10.99
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 forwarded clients1.google.com to 195.46.39.39
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14878 192.168.10.99/55469 reply id.google.com is 172.217.22.131
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 reply clients1.google.com is <CNAME>
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 reply clients.l.google.com is 216.58.201.238

The three below is the YouTube bing stopped by the DNS Provider.

Code: Select all

Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 query[A] www.youtube.com from 192.168.10.99
Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 forwarded www.youtube.com to 195.46.39.39
Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 reply www.youtube.com is 195.46
I have tried to attached the Firewall restrictions as I have them configured but the image is having some issues

Below are the iptables showing the Firewall Restrictions that are generated:

Code: Select all

-A egress_restrictions -p tcp -m weburl--contains youtu.be  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube-ui.l.google.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains googlevideo.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.l.google.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytstatic.l.google.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtubei.googleapis.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains m.youtube.com  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtu.be --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube-ui.l.google.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains googlevideo.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.l.google.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytstatic.l.google.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtubei.googleapis.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains m.youtube.com --domain_only  -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -s 192.168.10.18/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -s 192.168.10.24/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -s 192.168.10.99/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -p tcp -m iprange --src-range 192.168.10.70-192.168.10.179 -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -p tcp -m timerange --hours 60-86340  -j CONNMARK --set-xmark 0x40000000/0x40000000
-A egress_restrictions -p tcp -m connmark --mark 0x49000000/0xff000000 -j REJECT --reject-with tcp-reset
-A egress_restrictions -j CONNMARK --set-xmark 0x0/0xff000000
-A ingress_restrictions -j ingress_whitelist 
Thanks
Wayne

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by Lantis »

Can you confirm which version of Gargoyle you're using please?
This will help understand why the weburl filtering is not working.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

iamlost
Posts: 13
Joined: Mon Mar 20, 2017 5:39 pm
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by iamlost »

Hi All apologies,

Running version 1.12.0

Thanks
Wayne
Linksys wrt1200ac - gargoyle 1.12.0

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by Lantis »

So the following simple rule stopped youtube for me.

Code: Select all

Chain egress_restrictions (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5568  811K egress_whitelist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    7  3899 REJECT     tcp  --  *      *       192.168.1.40         0.0.0.0/0           WEBURL --contains youtube  reject-with tcp-reset
There are obviously additional urls that need to be taken care of, but this was enough to block basic access to the site.
Are you saying that a simple rule like that (created through the GUI) is not working for you?

To do a full test, make sure that the client in question has browser caches cleared and was not on youtube at the time the block was created.
Already established connections, and cached objects will not be blocked. Only NEW connections.

I'd also recommend drastically simplifying your rules at first until you know that the simple rules are working, then get more complicated.
I'd remove the IP ranges, and the Time Ranges to begin with. Add them back in one at a time once sure that things are working.
If something doesn't work at that point, you can let me know and if needed i'll find out why.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

iamlost
Posts: 13
Joined: Mon Mar 20, 2017 5:39 pm
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by iamlost »

Hi

Partial success

I reduced the firewall to a single restriction for a single ip address,

-A egress_restrictions -s 192.168.10.99/32 -p tcp -m weburl--contains youtube -j REJECT --reject-with tcp-reset

Chrome works great not dns call and failure to load the site. Firefox was a partial failure, made the dns call but could not load the page "Secure Connection Failed".

The Youtube app worked as without any issues, completed DNS call and loaded a video.

Thanks
Wayne
Linksys wrt1200ac - gargoyle 1.12.0

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: Firewall Restriction to Blocking URL or Domains

Post by RomanHK »

:!: Beware of DoH and DoT, which bypass the query servers to DNS servers for encryption already in the client, then there will be no restrictions.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by Lantis »

So testing the theory, it's working ok.
Now you can try adding back in the rules 1 at a time to try and cover the other use cases (e.g. the app).
I'm not sure what URLs the app uses internally. :?:
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

iamlost
Posts: 13
Joined: Mon Mar 20, 2017 5:39 pm
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by iamlost »

Hi

Added the following url blocks: youtube, googlevideo, ytimg, youtube-ui, ytstatic and youtubei none of these stop the app, it complets the DNS call and receives the ip-address

If I block these at the DNS provider it blocks the app.

I have found IPSET function in some of the forums for linking dnsmasq and iptables, I have not figured out how it works.

Any ideas?
Thanks
Wayne
Linksys wrt1200ac - gargoyle 1.12.0

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by Lantis »

IPSet won't help unless you know the entire list of IPs used by youtube.

Gargoyle doesn't really have any DNS level blocking built into the GUI. The app is probably making DNS calls and then resolving the IP rather than a web GET request.
Everything would need to be setup manually, and there isn't really any guidance on these forums for that sorry.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

iamlost
Posts: 13
Joined: Mon Mar 20, 2017 5:39 pm
Location: Australia

Re: Firewall Restriction to Blocking URL or Domains

Post by iamlost »

Thanks for helping
Linksys wrt1200ac - gargoyle 1.12.0

Post Reply