how to setup a router to route everything through a content filter that does whitelisting

Posted on


Consider a router with adsl connection to internet, 3 ethernet ports (eth1 to eth3) and wifi.

Consider there is a linux machine (that is to do content filtering (whitelisting – allow only specific ips or ip/tcp combinations or urls (the whitelist) and block everything else)) connected to eth1 on router, but never connects to the internet. Can this machine be prevented access to adsl internet connection permanently. How?

Consider there may be two other machines on eth2 and eth3 and probably many more thru wifi.

Can the router be setup to relay all the traffic (raw physical layer packets) from eth2, eth3, and all wifi connected nodes to eth1 and eth1 would forward allowed packets back to the router and drop rest of them. The router would use the adsl (or eth2 eth3 wifi) for all packets coming from eth1. Similar setup must exist for all packets coming from adsl to eth2, eth3 and wifi (adsl to eth2, eth3 and wifi must first be sent to eth1 and then to the respective devices). How?


Normally, a content filter is set up as a proxy server, which means it makes connections to the internet on behalf of the clients. In this configuration, it wouldn’t be sensible to block its access to the internet or it couldn’t function. Unless you are filtering on the fly more like a firewall, then you can add rules that say that packets originating from the content filter should be dropped. Also, most domestic and all commercial routers will let you drop packets with a specific IP as source.

If the router in question is a domestic router, then eth1 – eth3 and wifi are all bridged together. That is, they form the same layer 2 network and there isn’t a way normally to treat them as individual ports and apply routing decisions individually.

In this case, you would need to make the default gateway of the network be the content filter. This will push all traffic from any device connected to the router to the content filter. You cannot normally do this with a domestic router, but you can disable the DHCP service on the router, and set one up on your content filter.

Then the content filter default gateway would be the router. Note that packets would be coming in and out of the same interface of the content filter, but this should not be an issue. If this is a linux box, make sure that /etc/sysctl.conf contains:

net.ipv4.conf.all.send_redirects = 0

This will stop the content filter telling the router to connect directly to local IP addresses if packets arriving on its interface, but destined for other IP address on the same network. As they will be in your case.

The last part is to make sure that all incoming traffic will go to the content filter. Most domestic routers will let you add static routes. If you add a static route for your entire internal network range – for example to go to the IP address of your content filter, this will override the routers natural tendency to send packets for devices on a network it is attached to directly to those devices. Instead, anything incoming will go to the content filter.

Leave a Reply

Your email address will not be published. Required fields are marked *