Artigos‎ > ‎Configuração de Hardware‎ > ‎OpenWrt‎ > ‎

Parental Control


Primeiramente gostaria de salientar que não sou o autor principal do conteúdo deste artigo. A minha intenção é de mostrar o que outros autores tem realizado (referenciando links para o conteúdo original) neste blog até como um guia pessoal para uso próprio e ainda compartilhar minhas anotações e pequenas modificações que realizo no conteúdo, desejando que possa ajudar mais alguém em algum lugar.
First and foremost, I take no credit for any of this post’s content. I am really just taking what others have done (which I have links to bellow) and am putting it on my blog for a personal reference and hopefully the small changes that I made to their guides will help someone somewhere.

link: https://github.com/k-szuster/luci-access-control-package/releases

mkdir /mnt/data/Downloads
cd /mnt/data/Downloads

wget --no-check-certificate https://github.com/k-szuster/luci-access-control-package/releases/download/0.4/luci- app-access-control_0.4_all.ipk


Install:
opkg install luci-app-access-control_0.4_all.ipk


Check rules:
iptables -nL delegate_forward --line-numbers



Script to solve problem of not cancelling actual connections:

cat /etc/cronfw.sh

#!/bin/sh 
# Insert rule for forwarding established connection traffic, just before the final rule (reject) 
new_rule_num=$(iptables -v -L delegate_forward --line-numbers | grep reject | cut -c1-3)
iptables -I delegate_forward $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 

 # Delete first rule for forwarding established connection traffic 
old_rule_num=$(iptables -v -L delegate_forward --line-numbers | grep ESTABLISHED | cut -c1-3 | sed -n 1p) 
iptables -D delegate_forward $old_rule_num



Make it executable:
chmod 755 /etc/cronfw.sh


Cron config to execute it:
crontab -l 
*/1* * * * /etc/cronfw.sh



cat /etc/firewall.user
# This file is interpreted as shell script. 
# Put your custom iptables rules here, they will 
# be executed with each firewall (re-)start. 

# Internal uci firewall chains are flushed and recreated on reload, so 
# put custom rules into the root chains e.g. INPUT or FORWARD or into the 
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.


# Delete rule for forwarding established connection traffic 
old_rule_num=$(iptables -v -L delegate_forward --line-numbers | grep ESTABLISHED | cut -c1-3) 
iptables -D delegate_forward $old_rule_num 

# Insert rule for forwarding established connection traffic, just before the final rule (reject) 
new_rule_num=$(iptables -v -L delegate_forward --line-numbers | grep reject | cut -c1-3) 
iptables -I delegate_forward $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



Include this option reload at config file:

cat /etc/config/firewall
...
config include
option path '/etc/firewall.user'
option reload '1'
...

Bellow is an automated solution (I am not sure where to put it):

# enable execute /etc/firewall.user on every firewall reload set_firewall_user_reload() { i=0 while true do path=$(uci -q get firewall.@include[$i].path) [ -n "$path" ] || break [ "$path" == "/etc/firewall.user" ] && { reload=$(uci -q get firewall.@include[$i].reload) [ "$reload" = "1" ] || { echo Setting 'reload' call option to /etc/firewall.user uci set firewall.@include[$i].reload=1 uci commit firewall } } i=$((i+1)) done }

And crucially, the firewall reload that occurs when wan interface comes up must be changed to a restart:
/etc/hotplug.d/iface/20-firewall


cat /etc/hotplug.d/iface/20-firewall
...
#fw3 -q reload 
fw3 -q restart
...







Comments