0

我正在尝试找到一种方法来阻止在我孩子的 Ubuntu 计算机上播放 YouTube 视频。我创建了一个 shell 脚本来获取 Youtube IP 并将它们添加到 iptables 以丢弃传入的数据包。为此,我使用whois -h whois.radb.net -- '-i origin AS15169'

问题是我不仅获得了 YouTube IP,还获得了所有 Google IP。因此,阻止它们也会阻止访问其他谷歌服务,其中包括谷歌搜索、谷歌云端硬盘、谷歌邮件等。

我还添加了一些例外,包括域白名单,但这还不够。

这是shell脚本:

#!/bin/bash
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables

function block_ips() {
  for THIS_IP in $1; do
    # IPv4 range
    if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
      echo "Blocking $THIS_IP"
      $IPTABLES -A funban -s $THIS_IP -j fundrop
    fi

    # IPv4
    if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      echo "Blocking $THIS_IP"
      $IPTABLES -A funban -s $THIS_IP -j fundrop
    fi

    # IPv6 range
    if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
      echo "Blocking $THIS_IP"
      $IP6TABLES -A funban -s $THIS_IP -j fundrop
    fi

    # IPv6
    if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}$ ]]; then
      echo "Blocking $THIS_IP"
      $IP6TABLES -A funban -s $THIS_IP -j fundrop
    fi
  done
}

function accept_ips() {
  for THIS_IP in $1; do
    # IPv4 range
    if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
      echo "Allowing $THIS_IP"
      errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
      if [[ $errormessage =~ 'Bad rule' ]]; then
        echo "  Added $THIS_IP"
        $IPTABLES -I funban -s $THIS_IP -j ACCEPT
      fi
    fi

    # IPv4
    if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
      if [[ $errormessage =~ 'Bad rule' ]]; then
        echo "  Added $THIS_IP"
        $IPTABLES -I funban -s $THIS_IP -j ACCEPT
      fi
    fi

    # IPv6 range
    if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
      errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
      if [[ $errormessage =~ 'Bad rule' ]]; then
        echo "  Added $THIS_IP"
        $IP6TABLES -I funban -s $THIS_IP -j ACCEPT
      fi
    fi

    # IPv6
    if [[ $THIS_IP =~ ^[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}$ ]]; then
      errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
      if [[ $errormessage =~ 'Bad rule' ]]; then
        echo "  Added $THIS_IP"
        $IP6TABLES -I funban -s $THIS_IP -j ACCEPT
      fi
    fi
  done
}

function get_ip4() {
  echo "$(dig ${1} A | grep -E '^[^;]' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')"
}

function get_ip6() {
  echo "$(dig ${1} AAAA | grep -E '^[^;]' | grep -o -E '[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}')"
}

errormessage=$(${IPTABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Create funban (IPv4)"
  $IPTABLES -N funban
fi

errormessage=$(${IP6TABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Create funban (IPv6)"
  $IP6TABLES -N funban
fi

errormessage=$(${IPTABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Create fundrop (IPv4)"
  $IPTABLES -N fundrop
  $IPTABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
  $IPTABLES -A fundrop -j DROP
fi

errormessage=$(${IP6TABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Create fundrop (IPv6)"
  $IP6TABLES -N fundrop
  $IP6TABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
  $IP6TABLES -A fundrop -j DROP
fi

errormessage=$(${IPTABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Filter IPv4"
  $IPTABLES -A INPUT -j funban
fi

errormessage=$(${IP6TABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
  echo "Filter IPv6"
  $IP6TABLES -A INPUT -j funban
fi

# Flush funban chain
$IPTABLES -F funban
$IP6TABLES -F funban

# Block all Google-related IPs. The "AS15169" is taken from
# http://networktools.nl/asinfo/google.com
# Add these IPs to make google search to work (NOTE: This is not sufficient and blocks Google searches)
block_ips "$(whois -h whois.radb.net -- '-i origin AS15169' | grep -E '^route6?\:')"

while read domain; do
  echo "Whitelisting $domain"
  accept_ips $(get_ip4 $domain)
  accept_ips $(get_ip6 $domain)
done <whitelist.txt

我正在尝试找到另一种基于 iptables 的强大解决方案(例如,我的孩子足够聪明,可以绕过主机阻塞)。

我虽然关于 mDPI netfilter 但它似乎不再作为 Ubuntu 20.04 中的 iptables 模块提供。

$ iptables -mndpi –help
iptables v1.8.4 (legacy): Couldn't load match `ndip':No such file or directory

任何想法?

4

0 回答 0