DD-WRT网站白名单设置

目前公司有需求实现仅允许部分网站的访问，以及短地址访问，经过很多尝试，终于搞定，记录下来备忘。

1、DD-WRT官网找到一篇wiki，不过脚本有些小问题，经过修改可满足需求，脚本文件如下：

官网地址：http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing

（官方脚本有个参数错误，以及最后一条全部DROP的策略会导致DHCP失败，新修改的脚本无此问题。）

#!/bin/sh
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
# This Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
# Version 5. Please increment version number with subsequent modifications. GeeTek.

# Set up the chain
iptables -N wanout
iptables -I INPUT -i `nvram get lan_ifname` -j wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

# Create whitelist 'function' script
WOUT="/tmp/wanout"
echo 'iptables -I wanout $1 -j ACCEPT' > $WOUT
chmod 777 $WOUT

# Exempt Machine MAC
# load xt_mac instead of ipt_mac on k2.6 builds

# Exempt Machine IP

# Allow everyone access to these sites  (DNS lookup only happens once when rule is inserted and stays that single IP)
$WOUT '-d wpa.qq.com'
$WOUT '-d hm.baidu.com'
$WOUT '-d s.mzstatic.com'
$WOUT '-d ssl.apple.com'
$WOUT '-d images.apple.com'
$WOUT '-d a1813.phobos.apple.com'
$WOUT '-d a1488.phobos.apple.com'
$WOUT '-d a856.phobos.apple.com'
$WOUT '-d a1671.phobos.apple.com'
$WOUT '-d a1.mzstatic.com'
$WOUT '-d a5.mzstatic.com'
$WOUT '-d a2.mzstatic.com'
$WOUT '-d a3.mzstatic.com'
$WOUT '-d a4.mzstatic.com'
$WOUT '-d a63.phobos.apple.com'
$WOUT '-d securemetrics.apple.com'
$WOUT '-d ax.init.itunes.apple.com'
$WOUT '-d metrics.apple.com'
$WOUT '-d 30-courier.push.apple.com'

# Allow everyone access to these IP addresses/netmask
$WOUT '-d 202.106.0.20'
$WOUT '-d 8.8.8.8'

#Allow everyone access to specific destination ports

# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -o `nvram get wan_ifname` -j REJECT --reject-with icmp-proto-unreachable

2、添加自启动

官方wiki上说可通过设置nvram set rc_startup来设置开机脚本，但反复尝试N次均不生效，后来将上述脚本文件改名为*.wanup，放入/jffs/etc/config下，启动成功。这里也怀疑是路由器刚开机后网卡和防火墙还没启动，所以导致通过rc_startup设置开机脚本启动失败。（.wanup是在网卡及防火墙启动之后执行，startup是之前执行）

3、通过DNSmasq设置短域名

在管理页面--服务中，选择启用dnsmasq，在附加选项中如下填写，保存，重启

address=/ubox.mini/10.0.0.1

 

通过折腾这个无线路由也算是学习了iptables，嘿嘿。