I chose to use IPTables because it is a firewall that is coded inside the Linux kernel, really powerful. I just need... to learn to use it. A basic (basic indeed) guide to do it is explained below.
1. Components:
IPtables works at layer 3 and 4 of the OSI model. It is a stateful firewall, that is organized as follows:
- Tables: IPtables uses 3 default tables: Mangle (permits to modify packet parameters such as ToS and TTL); NAT (Allows to change IP addresses and ports); and Filter (used to filter packets)
- Chains: Are contained in each table, and allows to specify the firewall policy rule.
- Rules: Each chain has rules. You create rules to filter traffic.
The most used table in IPTables is the Filter table. This table has 3 default chains:
- Input: this chain analyzes all incoming traffic to our host
- Forward: used when the destination of the packet is not out host, so the packet is forwarded
- Output: packets use this chain when they are leaving our host.
2. Configuring rules:
Rules are as Access Control Lists (Cisco jargon) used to filter traffic. Rules must include:
- Name of the chain
- What to do to with the rule on the defined chain ( Append, Insert, Replace, Delete)
- Name of the table (if using the filter table, it is not neccesary to mention it)
- Specify layer 3 source and/or destination IP addresses.
- Optionaly, specify layer 4 protocol or port.
- Action (jump or target): Accept, drop, deny, reject or log the match.
the rule should be written as follows:
iptables -A INPUT -s 192.168.1.30 -j DROP
3. What to filter?
Ok. Now we know the basics on how to write rules. We are going to find an ad we want to filter from showing on our browser. I like to search for subtitles in a very nice webpage called opensubtiles.
as you may see, there is a banner at left, and a pop-up appeared.In order to know the ip addresses that are accesed to bring that information, I use Wireshark (you can also use TCPDump, for example).
Wireshark must be capturing packets while opening the webpage.
When finished, I cool stategy is to order the captured packets by protocol. Our host in order to access information from the internet, must do a DNS query to find the IP address of the server it wants to pull information from.
see anything undesirable? You see that the host must resolve opensubtitles.org but it is also resolving strange URLs such as s7.addthis.com, widgets.amung.us, ads.identads.com, etc.
Wireshark also provides the IP address of those undesired domains, 200.12.180.4. We can also use nslookup to do this:
[evilcat@luiskr Desktop]$ nslookup
> widgets.amung.us
Server: 200.12.180.4
Address: 200.12.180.4#53
Non-authoritative answer:
Name: widgets.amung.us
Address: 67.202.94.94
> ads.identads.com
Server: 200.12.180.4
Address: 200.12.180.4#53
Non-authoritative answer:
Name: ads.identads.com
Address: 77.247.177.150
>
Now, we are ready to build and test wour rules!
4. Building and applying the rules.
I would like to share with you my filter table. You can get to know how your filter table is configured using the command /sbin/iptables -L -v
[root@luiskr evilcat]# /sbin/iptables -L -v
Chain INPUT (policy DROP 11840 packets, 967K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:vnc-server
666 153K ACCEPT tcp -- any any anywhere anywhere tcp spt:msnp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:xmpp-client
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:13111
10488 12M ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
274 58045 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10018 packets, 1544K bytes)
pkts bytes target prot opt in out source destination
[root@luiskr evilcat]#
My INPUT chain has a default policy of drop (so if the packet does not match any criteria it is discarded). Also I permit access to some services in my PC, such as VNC server, Messgener, GTalk, a port-forwaring option for Bittorrent and established TCP sessions.
We are going to insert rules to filter those IP addresses from getting to our host.
/sbin/iptables -I INPUT 5 -p tcp -s 67.202.94.94 -j REJECT
/sbin/iptables -I INPUT 5 -p tcp -s 77.247.177.150 -j REJECT
/sbin/iptables -I INPUT 5 -p tcp -s 200.12.180.4 -j REJECT
The command states that the rule is going to be inserted in position number 5, It is going to match TCP, source address X and is going to reject the packet.
Lets list our rules so we get to know how are the finally configured:
[root@luiskr evilcat]# /sbin/iptables -L -v --line-numbers -n
Chain INPUT (policy DROP 37845 packets, 3030K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900
2 1232 263K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1863
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5222
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:13111
5 0 0 REJECT tcp -- * * 200.12.180.4 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 REJECT tcp -- * * 77.247.177.150 0.0.0.0/0 reject-with icmp-port-unreachable
7 0 0 REJECT tcp -- * * 67.202.94.94 0.0.0.0/0 reject-with icmp-port-unreachable
8 17247 17M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 767 156K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18285 packets, 3872K bytes)
num pkts bytes target prot opt in out source destination
[root@luiskr evilcat]#
5. Testing!
We are ready to test.... lets roll! Proceed to reload the webpage: This is the result I get:
This is a clean webpage, no advertisement around.
Of course, you know advertisement varies from country to country, the ads you get from your location may differ, so do the URLs your host pull those from.
I hope you find this useful and helps you to filter undesired Internet traffic
No comments:
Post a Comment