User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_parent_controls

Parental controls

Parental control of internet access can be done in several ways:

  • Timely restriction of internet access per IP/MAC
  • Restrict / deny / block access to certain webpages

Timely restriction of internet access

Example: Block internet access for a certain MAC adress / IP adress on weekdays during 21:30-07:00

via LuCI

  1. Network → Firewall → Traffic Rules → New forward rule
  2. Add name for your rule, e.g. “Kids weeksdays”, “Kids weekend”
  3. Source zone: lan
  4. Destination zone: wan
  5. Click Add and edit
  6. Select Source MAC address or Source address
  7. Set Action to be Reject
  8. Select weekdays
  9. Select start/stop time
  10. Save&apply

Timely restriction of internet access via LuCI

via /etc/config/firewall

Add a new firewall rule. Edit the following example code block to suit your needs and then copy-paste it into /etc/config/firewall. Make sure to run /etc/init.d/firewall reload to load it - and check for errors!

config rule
       option src 'lan'
       option src_mac '78:BB:AA:3A:88:14'
       option dest 'wan'
       option start_time '21:30:00'
       option stop_time '07:00:00'
       option weekdays 'Mon Tue Wed Thu Fri'
       option utc_time '0'
       option target 'REJECT'
       option name 'Kids weekdays'
       option enable '1'

Killing already-established connections on start time

Once the start time is reached, the default behavior works fine for denying access to the internet but it fails to stop any connections that are already established. If you look at the FORWARD chain with default behavior as shown below, you will see that the packets from already established connections hit the second rule (to accept established connections) and never make it to the time-restriction rule which is part of the zone_lan_forward chain.

Default behavior:

root# iptables -v -L FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target           prot opt  in        out   source     destination
1        7   333 forwarding_rule   all  --  any       any   anywhere   anywhere        /* !fw3: user chain for forwarding */
2        0     0 ACCEPT            all  --  any       any   anywhere   anywhere        ctstate RELATED,ESTABLISHED /* !fw3 */
3        7   333 zone_lan_forward  all  --  br-lan    any   anywhere   anywhere        /* !fw3 */
4        0     0 zone_wan_forward  all  --  pppoe-wan any   anywhere   anywhere        /* !fw3 */
5        0     0 zone_wan_forward  all  --  eth0.2    any   anywhere   anywhere        /* !fw3 */
6        0     0 reject            all  --  any       any   anywhere   anywhere        /* !fw3 */

The intention is to make the above look like this so that the rule to accept established connections is after the zone_lan_forward rule:

root# iptables -v -L FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target            prot opt in        out   source     destination
1    17696   12M forwarding_rule   all  --  any       any   anywhere   anywhere        /* !fw3: user chain for forwarding */
2      145 12439 zone_lan_forward  all  --  br-lan    any   anywhere   anywhere        /* !fw3 */
3        1   104 zone_wan_forward  all  --  pppoe-wan any   anywhere   anywhere        /* !fw3 */
4        0     0 zone_wan_forward  all  --  eth0.2    any   anywhere   anywhere        /* !fw3 */
5        1   104 ACCEPT            all  --  any       any   anywhere   anywhere        ctstate RELATED,ESTABLISHED
6        0     0 reject            all  --  any       any   anywhere   anywhere        /* !fw3 */

This will be accomplished using a script and a cron job. The reason a cron job is used because the reordering of the rules needs to be applied even after the firewall is restarted or reloaded.

1. Create /etc/cronfw.sh and set the execute bit. Insert the following script into the file:

#!/bin/sh
# Insert rule for forwarding established connection traffic, just before the final rule (reject)
new_rule_num=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -d ' ' -f 1)
iptables -I FORWARD $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Delete first rule for forwarding established connection traffic
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -d ' ' -f 1 | sed -n 1p)
iptables -D FORWARD $old_rule_num

2. Go to System → Scheduled Tasks, and insert the following line: */20 * * * * /etc/cronfw.sh so that the script is executed every 20 minutes

3. System → Startup → Restart crons service & ensure cron is enabled

Block access to certain webpages

There are many ways to block access to unwanted websites, many of them void the DNS lookup so, for example, www.youtube.com does not generate the desired IP address. These can be foiled quite easily by using another internet site to lookup the IP address for the site and bypassing DNS altogether. The adblock package seems to do this.

The most reliable mechanism to block access to a public site is fw3 rule to block a site

docs/guide-user/firewall/fw3_configurations/fw3_parent_controls.txt · Last modified: 2018/09/16 12:49 by bobafetthotmail