Over the last few weeks, I have been experimenting with various content filters. The experiment is mainly geared towards a crazy idea of mine - blocking a few URIs I tend to spend lot of time on! Since the user we’re blocking has root access :), the more number of steps it takes to disable, the better it is!I will put down a list of items I tried (in the order increasing complexity).
Firefox content blockerProcon-latte absolutely rocks. Set the appropriate filters. And then set the password blind-folded(blind password is not recommended, it will render firefox useless). Pretty simple :) So procon latte actually blocks based on text, so search engine results are also blocked. Also I use Opera as my primary browser, so we are sorta back to square one!
The hosts fileFill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1. E.g. #
rootto modify: sudo chattr +i /etc/hosts This command will block modifications to the file at file system level. So the hacker has to do a
chattr -ibefore editing the hosts file. Not good. I again broke this. Time for new approach.
Block at DNSI do use a dns cache on my localhost. I set it up to use opendns, and then block the related URIs. In this a dns query for the URI will return the opendns bad URI ip
18.104.22.168. There is a problem, my ISP uses dhcp and it updates the nameservers for each connect. The
chattrblocks that modification. But /me does this: dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf OK there is the
dhcpcd.confoption to not modify
/etc/resolv.conf. That’s still easy.
WTF! It’s impossible. Thou art r00t.The above step pretty much works, just that I need to block the dns changes. What the heck, time to figure out something in terms of those TCP/UDP/IP packets. So all dns queries go as UDP packets with port 53. Why not block them at my system itself? Here are the iptables oneliners: sudo iptables -I OUTPUT 1 -p udp —dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp —dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 22.214.171.124 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 126.96.36.199 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 188.8.131.52 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 184.108.40.206 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 —dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 —dport 53 -j ACCEPT The options are pretty much self explanatory (-I insert, 1 to the first position, -p packet type, -d destination, -j jump target). To verify if the rules work, try
iptables -nvL, it will show you how many packets are dropped. I will probably block opendns.org configuration too, or use the blindfold password trick with that!
More possibilitiesI could’ve tried dansguardian with squid. But somehow, it looked like an overuse of system resources to stop a single person, and gosh I will have access to
sudo /etc/rc.d/dansguardian stop. Whatever! Actually it looks like Opera has a kiosk mode where you can specify a filter to block all websites. I use this for a simple adblock strategy. I also had thoughts around writing a script to fetch the Shalla’s blacklists and append them to
urlfilter.inifor opera. The problem is with a few thousand websites, it will be definitely a pain later for normal browsing. That’s the current setup. Fighting with /me is fun ;)