Please fwd me to the correct forum article if there is a different way to achieve.
Trying to use the firewall restrictions to limit the access to YouTube. Currently I only have my DNS provider being able to block Youtube access and this blocks YouTube for the whole network not just the rouge users. I would like to add a time limit to the rouge users,so they can access YouTube during lunch.
I reviewed the following forum article viewtopic.php?t=7349 and I have not found the configurations to limit time or the originating request in Privoxy
Troubleshooting
Turn on restrictions, rouge users are still able to access YouTube
Turn on DNS, not users have access to YouTube
Active system log in Gargoyle
Edit “/etc/config/dhcp” and add the following line: option logqueries '1' (This will show the dnsmasq queries in the system log)
Try connecting from device on the restriction (192.168.10.99) The first 5 entries is a google enrty with a successful reply from the DNS Provider
Code: Select all
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 query[A] clients1.google.com from 192.168.10.99
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 forwarded clients1.google.com to 195.46.39.39
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14878 192.168.10.99/55469 reply id.google.com is 172.217.22.131
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 reply clients1.google.com is <CNAME>
Tue Mar 31 09:18:40 2020 daemon.info dnsmasq[7652]: 14879 192.168.10.99/28892 reply clients.l.google.com is 216.58.201.238
The three below is the YouTube bing stopped by the DNS Provider.
Code: Select all
Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 query[A] www.youtube.com from 192.168.10.99
Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 forwarded www.youtube.com to 195.46.39.39
Tue Mar 31 09:18:41 2020 daemon.info dnsmasq[7652]: 14880 192.168.10.99/44008 reply www.youtube.com is 195.46
Below are the iptables showing the Firewall Restrictions that are generated:
Code: Select all
-A egress_restrictions -p tcp -m weburl--contains youtu.be -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube-ui.l.google.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains googlevideo.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.l.google.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytstatic.l.google.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtubei.googleapis.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains m.youtube.com -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtu.be --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtube-ui.l.google.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains googlevideo.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytimg.l.google.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains ytstatic.l.google.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains youtubei.googleapis.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -p tcp -m weburl--contains m.youtube.com --domain_only -j CONNMARK --set-xmark 0x1000000/0x1000000
-A egress_restrictions -s 192.168.10.18/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -s 192.168.10.24/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -s 192.168.10.99/32 -p tcp -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -p tcp -m iprange --src-range 192.168.10.70-192.168.10.179 -j CONNMARK --set-xmark 0x8000000/0x8000000
-A egress_restrictions -p tcp -m timerange --hours 60-86340 -j CONNMARK --set-xmark 0x40000000/0x40000000
-A egress_restrictions -p tcp -m connmark --mark 0x49000000/0xff000000 -j REJECT --reject-with tcp-reset
-A egress_restrictions -j CONNMARK --set-xmark 0x0/0xff000000
-A ingress_restrictions -j ingress_whitelist
Wayne