Over the last few weeks, I have been experimenting with various content
filters. The experiment is mainly geared towards a crazy idea of mine -
blocking a few URIs I tend to spend lot of time on! Since the user we’re
blocking has root access :), the more number of steps it takes to
disable, the better it is!
I will put down a list of items I tried (in the order increasing
### Firefox content blocker
absolutely rocks. Set the appropriate filters. And then set the password
blind-folded(**blind password** is **not** recommended, it will render
firefox useless). Pretty simple :)
So procon latte actually blocks based on text, so search engine results
are also blocked. Also I use Opera as my primary browser, so we are
sorta back to square one!
### The hosts file
Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1.
# 127.0.0.1 foobar.com www.foobar.com
Make things little tough for `root` to modify:
sudo chattr +i /etc/hosts
This command will block modifications to the file at file system level.
So the hacker has to do a `chattr -i` before editing the hosts file.
Not good. I again broke this. Time for new approach.
### Block at DNS
I do use a dns cache on my localhost. I set it up to use opendns, and
then block the related URIs. In this a dns query for the URI will return
the opendns bad URI ip `126.96.36.199`.
There is a problem, my ISP uses dhcp and it updates the nameservers for
each connect. The `chattr` blocks that modification. But /me does this:
dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf
OK there is the `dhcpcd.conf` option to not modify `/etc/resolv.conf`.
That's still easy.
### WTF! It's impossible. Thou art r00t.
The above step pretty much works, just that I need to block the dns
changes. What the heck, time to figure out something in terms of those
So all dns queries go as UDP packets with port 53. Why not block them at
my system itself? Here are the iptables oneliners:
sudo iptables -I OUTPUT 1 -p udp --dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp --dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 188.8.131.52 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 184.108.40.206 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 220.127.116.11 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 18.104.22.168 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 --dport 53 -j ACCEPT
The options are pretty much self explanatory (-I insert, 1 to the first
position, -p packet type, -d destination, -j jump target). To verify if
the rules work, try `iptables -nvL`, it will show you how many packets
I will probably block opendns.org configuration too, or use the
blindfold password trick with that!
### More possibilities
I could've tried *dansguardian* with *squid*. But somehow, it looked
like an overuse of system resources to stop a single person, and gosh I
will have access to `sudo /etc/rc.d/dansguardian stop`. Whatever!
Actually it looks like Opera has a [kiosk
mode](http://www.opera.com/support/mastering/kiosk/) where you can
specify a filter to block all websites. I use this for a simple adblock
strategy. I also had thoughts around writing a script to fetch the
[Shalla's blacklists](http://www.shallalist.de/) and append them to
`urlfilter.ini` for opera. The problem is with a few thousand websites,
it will be definitely a *pain* later for normal browsing.
That's the current setup. Fighting with */me* is fun ;)