Content filters

Posted on Wed 20 January 2010 in Technology • 3 min read

Over the last few weeks, I have been experimenting with various content filters. The experiment is mainly geared towards a crazy idea of mine - blocking a few URIs I tend to spend lot of time on! Since the user we’re blocking has root access :), the more number of steps it takes to disable, the better it is!

I will put down a list of items I tried (in the order increasing complexity).

Firefox content blocker

Procon-latte absolutely rocks. Set the appropriate filters. And then set the password blind-folded(blind password is not recommended, it will render firefox useless). Pretty simple :)

So procon latte actually blocks based on text, so search engine results are also blocked. Also I use Opera as my primary browser, so we are sorta back to square one!

The hosts file

Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1. E.g.

# 127.0.0.1 foobar.com www.foobar.com

Make things little tough for root to modify:

sudo chattr +i /etc/hosts

This command will block modifications to the file at file system level. So the hacker has to do a chattr -i before editing the hosts file.

Not good. I again broke this. Time for new approach.

Block at DNS

I do use a dns cache on my localhost. I set it up to use opendns, and then block the related URIs. In this a dns query for the URI will return the opendns bad URI ip 208.67.219.130.

There is a problem, my ISP uses dhcp and it updates the nameservers for each connect. The chattr blocks that modification. But /me does this:

dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf

OK there is the dhcpcd.conf option to not modify /etc/resolv.conf. That’s still easy.

WTF! It’s impossible. Thou art r00t.

The above step pretty much works, just that I need to block the dns changes. What the heck, time to figure out something in terms of those TCP/UDP/IP packets.

So all dns queries go as UDP packets with port 53. Why not block them at my system itself? Here are the iptables oneliners:

sudo iptables -I OUTPUT 1 -p udp —dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp —dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 208.67.222.222 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.222.222 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 208.67.220.220 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.220.220 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 —dport 53 -j ACCEPT

The options are pretty much self explanatory (-I insert, 1 to the first position, -p packet type, -d destination, -j jump target). To verify if the rules work, try iptables -nvL, it will show you how many packets are dropped.

I will probably block opendns.org configuration too, or use the blindfold password trick with that!

More possibilities

I could’ve tried dansguardian with squid. But somehow, it looked like an overuse of system resources to stop a single person, and gosh I will have access to sudo /etc/rc.d/dansguardian stop. Whatever!

Actually it looks like Opera has a kiosk mode where you can specify a filter to block all websites. I use this for a simple adblock strategy. I also had thoughts around writing a script to fetch the Shalla’s blacklists and append them to urlfilter.ini for opera. The problem is with a few thousand websites, it will be definitely a pain later for normal browsing.

That’s the current setup. Fighting with /me is fun ;)