Over the last few weeks, I have been experimenting with various content
filters. The experiment is mainly geared towards a crazy idea of mine -
blocking a few URIs I tend to spend lot of time on! Since the user we’re
blocking has root access :), the more number of steps it takes to
disable, the better it is!
I will put down a list of items I tried (in the order increasing
complexity).
### Firefox content blocker
[Procon-latte](https://addons.mozilla.org/en-US/firefox/addon/1803)
absolutely rocks. Set the appropriate filters. And then set the password
blind-folded(**blind password** is **not** recommended, it will render
firefox useless). Pretty simple :)
So procon latte actually blocks based on text, so search engine results
are also blocked. Also I use Opera as my primary browser, so we are
sorta back to square one!
### The hosts file
Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1.
E.g.
#
127.0.0.1 foobar.com www.foobar.com
Make things little tough for `root` to modify:
sudo chattr +i /etc/hosts
This command will block modifications to the file at file system level.
So the hacker has to do a `chattr -i` before editing the hosts file.
Not good. I again broke this. Time for new approach.
### Block at DNS
I do use a dns cache on my localhost. I set it up to use opendns, and
then block the related URIs. In this a dns query for the URI will return
the opendns bad URI ip `208.67.219.130`.
There is a problem, my ISP uses dhcp and it updates the nameservers for
each connect. The `chattr` blocks that modification. But /me does this:
dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf
OK there is the `dhcpcd.conf` option to not modify `/etc/resolv.conf`.
That's still easy.
### WTF! It's impossible. Thou art r00t.
The above step pretty much works, just that I need to block the dns
changes. What the heck, time to figure out something in terms of those
TCP/UDP/IP packets.
So all dns queries go as UDP packets with port 53. Why not block them at
my system itself? Here are the iptables oneliners:
sudo iptables -I OUTPUT 1 -p udp --dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp --dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 208.67.222.222 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.222.222 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 208.67.220.220 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.220.220 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 --dport 53 -j ACCEPT
The options are pretty much self explanatory (-I insert, 1 to the first
position, -p packet type, -d destination, -j jump target). To verify if
the rules work, try `iptables -nvL`, it will show you how many packets
are dropped.
I will probably block opendns.org configuration too, or use the
blindfold password trick with that!
### More possibilities
I could've tried *dansguardian* with *squid*. But somehow, it looked
like an overuse of system resources to stop a single person, and gosh I
will have access to `sudo /etc/rc.d/dansguardian stop`. Whatever!
Actually it looks like Opera has a [kiosk
mode](http://www.opera.com/support/mastering/kiosk/) where you can
specify a filter to block all websites. I use this for a simple adblock
strategy. I also had thoughts around writing a script to fetch the
[Shalla's blacklists](http://www.shallalist.de/) and append them to
`urlfilter.ini` for opera. The problem is with a few thousand websites,
it will be definitely a *pain* later for normal browsing.
That's the current setup. Fighting with */me* is fun ;)