Content filters
Posted on Wed 20 January 2010 in Technology • 3 min read
Over the last few weeks, I have been experimenting with various content filters. The experiment is mainly geared towards a crazy idea of mine - blocking a few URIs I tend to spend lot of time on! Since the user we’re blocking has root access :), the more number of steps it takes to disable, the better it is!
I will put down a list of items I tried (in the order increasing complexity).Firefox content blocker
Procon-latte absolutely rocks. Set the appropriate filters. And then set the password blind-folded(blind password is not recommended, it will render firefox useless). Pretty simple :) So procon latte actually blocks based on text, so search engine results are also blocked. Also I use Opera as my primary browser, so we are sorta back to square one!The hosts file
Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1. E.g. #root
to modify:
sudo chattr +i /etc/hosts
This command will block modifications to the file at file system level.
So the hacker has to do a chattr -i
before editing the hosts file.
Not good. I again broke this. Time for new approach.
Block at DNS
I do use a dns cache on my localhost. I set it up to use opendns, and then block the related URIs. In this a dns query for the URI will return the opendns bad URI ip208.67.219.130
.
There is a problem, my ISP uses dhcp and it updates the nameservers for
each connect. The chattr
blocks that modification. But /me does this:
dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf
OK there is the dhcpcd.conf
option to not modify /etc/resolv.conf
.
That’s still easy.
WTF! It’s impossible. Thou art r00t.
The above step pretty much works, just that I need to block the dns changes. What the heck, time to figure out something in terms of those TCP/UDP/IP packets. So all dns queries go as UDP packets with port 53. Why not block them at my system itself? Here are the iptables oneliners: sudo iptables -I OUTPUT 1 -p udp —dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp —dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 208.67.222.222 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.222.222 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 208.67.220.220 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.220.220 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 —dport 53 -j ACCEPT The options are pretty much self explanatory (-I insert, 1 to the first position, -p packet type, -d destination, -j jump target). To verify if the rules work, tryiptables -nvL
, it will show you how many packets
are dropped.
I will probably block opendns.org configuration too, or use the
blindfold password trick with that!
More possibilities
I could’ve tried dansguardian with squid. But somehow, it looked like an overuse of system resources to stop a single person, and gosh I will have access tosudo /etc/rc.d/dansguardian stop
. Whatever!
Actually it looks like Opera has a kiosk
mode where you can
specify a filter to block all websites. I use this for a simple adblock
strategy. I also had thoughts around writing a script to fetch the
Shalla’s blacklists and append them to
urlfilter.ini
for opera. The problem is with a few thousand websites,
it will be definitely a pain later for normal browsing.
That’s the current setup. Fighting with /me is fun ;)