Filtering Gmail/Facebook/Twitter with IPtables
In most cases port base filtering is an all or none approach. For example if you want to block a user from accessing a certain website, blocking that user’s access to port 80/443 outbound will stop them from accessing all websites not just that one. If you would like to get more granular then you would need some sort of web content filtering systems.
Good news is, if you are still using iptables you are now able to filter traffic destined to sites such as Facebook, Twitter, Gmail etc. You can accomplish this by using iptables to block a given hex string that will appear in the initial packet handshake. I first saw this technique being discussed in a full-disclouser posting and I figured it was worth trying out.
The tools of choice here is Ngrep (Network Grep) and IPTables .
Step one: Capture the X.509 certificate
You will be doing this by using ngrep:
[infolookup@Test ~]# ngrep -d eth2 -q -x ‘Twitter’
interface: eth2 (10.100.0.0/255.255.255.128)
match: Twitter
You will then notice the following output in your terminal:
T 199.59.148.11:443 -> 10.100.0.119:38414 [A]
Step two: Creating your IPtable rule
You will be building your rule based on the hex string obtained above.
Prior to applying the rule I able to run the following command:
[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
301 Moved Permanently Moved Permanently
The document has moved here.
IPtable rules to use:
http://pastebin.com/1HQD017A
sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j DROP
sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j LOG
The first rule will drop the connection to twitter and the second rule will log the entry. If you take a look at your /var/log/message you will see the following entry over and over:Apr 7 00:05:11 Test kernel: [870656.036848] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0×00 PREC=0×00 TTL=44 ID=58494 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0×00 ACK URGP=0
Apr 7 00:05:19 Test kernel: [870664.675930] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0×00 PREC=0×00 TTL=44 ID=58496 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0×00 ACK URGP=0
If you try to access www.twitter.com you will get to the site, but when you try login the session will set there and just timeout.
[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
curl: (35) SSL connect error
Note:
I was unable to use the following IPtable rule on a Ubuntu based system but it worked fine on my Fedora 14 test box. Also another thing to look out for is if you use too short of a hex string will will get an error the one I used was about 85 characters give or take.
Have fun filtering and post your comments about how you are currently using IPtables.
Tiada ulasan:
Catat Ulasan