Content filters
Over the last few weeks, I have been experimenting with various content filters. The experiment is mainly geared towards a crazy idea of mine – blocking a few URIs I tend to spend lot of time on! Since the user we’re blocking has root access
, the more number of steps it takes to disable, the better it is!
I will put down a list of items I tried (in the order increasing complexity).
Firefox content blocker
Procon-latte absolutely rocks. Set the appropriate filters. And then set the password blind-folded(blind password is not recommended, it will render firefox useless). Pretty simple
- Close your eyes and type few random keys into firefox search bar, ctrl+a(select all), ctrl+x (cut).
- Paste the cut text into procon latte password field twice.
- You’re done. Firefox is blocked. Beware this will make your firefox unusable, you won’t be able to modify any procon settings later.
So procon latte actually blocks based on text, so search engine results are also blocked. Also I use Opera as my primary browser, so we are sorta back to square one!
Will repeat, blind password is not recommended. Do it, if you know what you are doing.
The hosts file
Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1. E.g.
#<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 foobar.com www.foobar.com
Make things little tough for root to modify:
sudo chattr +i /etc/hosts
This command will block modifications to the file at file system level. So the hacker has to do a chattr -i before editing the hosts file.
Not good. I again broke this. Time for new approach.
Block at DNS
I do use a dns cache on my localhost. I set it up to use opendns, and then block the related URIs. In this a dns query for the URI will return the opendns bad URI ip 208.67.219.130.
There is a problem, my ISP uses dhcp and it updates the nameservers for each connect. The chattr blocks that modification. But /me does this:
dhcpcd -x # close any existing dhcp connection
chattr -i /etc/resolv.conf # allow editing this file
dhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf
OK there is the dhcpcd.conf option to not modify /etc/resolv.conf. That’s still easy.
WTF! It’s impossible. Thou art r00t.
The above step pretty much works, just that I need to block the dns changes. What the heck, time to figure out something in terms of those TCP/UDP/IP packets.
So all dns queries go as UDP packets with port 53. Why not block them at my system itself? Here are the iptables oneliners:
sudo iptables -I OUTPUT 1 -p udp --dport 53 -j REJECT # reject all outgoing packets on port 53
sudo iptables -I OUTPUT 1 -p tcp --dport 53 -j REJECT
# Allow outgoing connections to opendns nameservers only
sudo iptables -I OUTPUT 1 -p udp -d 208.67.222.222 --dport 53 -j ACCEPT
sudo iptables -I OUTPUT 1 -p tcp -d 208.67.222.222 --dport 53 -j ACCEPT
sudo iptables -I OUTPUT 1 -p udp -d 208.67.220.220 --dport 53 -j ACCEPT
sudo iptables -I OUTPUT 1 -p tcp -d 208.67.220.220 --dport 53 -j ACCEPT
sudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 --dport 53 -j ACCEPT
sudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 --dport 53 -j ACCEPT
The options are pretty much self explanatory (-I insert, 1 to the first position, -p packet type, -d destination, -j jump target). To verify if the rules work, try iptables -nvL, it will show you how many packets are dropped.
I will probably block opendns.org configuration too, or use the blindfold password trick with that!
More possibilities
I could’ve tried dansguardian with squid. But somehow, it looked like an overuse of system resources to stop a single person, and gosh I will have access to sudo /etc/rc.d/dansguardian stop. Whatever!
Actually it looks like Opera has a kiosk mode where you can specify a filter to block all websites. I use this for a simple adblock strategy. I also had thoughts around writing a script to fetch the Shalla’s blacklists and append them to urlfilter.ini for opera. The problem is with a few thousand websites, it will be definitely a pain later for normal browsing.
That’s the current setup. Fighting with /me is fun







