We have a router with opkg and a running torus, so you can redirect tcp traffic, for example, from a rutreker to a torus:

 iptables -t nat -A PREROUTING -i br0 -p tcp -d rutracker.org -j REDIRECT --to-ports 9040

Question : how with minimal effort to parse the entire list of prohibited sites and add rules to iptables on the router?

Ps. ipset somehow trimmed, nothing happened to it.

  • Have you seen the registry of prohibited sites? At the moment there are 13612 domains with the specified 17955 unique IP addresses. You need to make at least a three-tier system of ordinary rules, so that the router is not choked. It is highly undesirable to make more than 500 entries in one iptables chain. That's just ipset taxis. And by the way, you can’t just set the domain name in the iptables rule, it really adds the rule to only 1 ip address, and there are several of them and they often change (sometimes several times a day !!!) - Mike
  • @Mike then what about ipset? He is very sharply cut. The router should not choke - two ARM cores, after all. PS Trimmed so that it does not understand "restore" - Vasiliy
  • The eight-core i7 chokes on a 100-200 Mbit stream if there are more than 1000 rules in the chain. In linux, the work of iptables on packets from one network card works with only one kernel. So: 1. from the registry to take a stupid list of ip. 2. If the provider cuts not only the list but also the name, rezolvit domain names and add to the list. 3. According to the list, build an extensive system of rules, such as all ip 1.0.0.0/8 are sent to the chain 1, there we allocate a smaller subnet 1.1.0.0/16 to the 1-1 chain from it if we had little ip we write them ourselves if a lot - beat on smaller subnets - Mike

0