LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-17-2002, 09:48 PM   #1
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Rep: Reputation: 15
block ads (doubleclick and aol) servers using iptables


Hi, I need to completely block ads servers and ads.aol.com servers. Previously I use ipchains on RH7.1 and it runs great with following scripts. But after switching to iptables, I have not been able to block anoying ads coming to my browsers.

# blocking doubleclick.net
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 208.184.29.0/24 -j REJECT
ipchains -A output -d 208.211.255.0/24 -j REJECT
ipchains -A output -d 209.67.38.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 206.65.183.0/24 -j REJECT
ipchains -A output -d 206.67.38.0/24 -j REJECT
ipchains -A output -d 208.32.211.0/24 -j REJECT
ipchains -A output -d 205.138.3.0/24 -j REJECT
ipchains -A input -s 199.95.207.0/24 -j REJECT
ipchains -A input -s 199.95.208.0/24 -j REJECT
ipchains -A input -s 208.184.29.0/24 -j REJECT
ipchains -A input -s 208.211.255.0/24 -j REJECT
ipchains -A input -s 209.67.38.0/24 -j REJECT
ipchains -A input -s 204.253.104.0/24 -j REJECT
ipchains -A input -s 206.65.183.0/24 -j REJECT
ipchains -A input -s 206.67.38.0/24 -j REJECT
ipchains -A input -s 208.32.211.0/24 -j REJECT
ipchains -A input -s 205.138.3.0/24 -j REJECT
## blocking ads.web.aol.com
ipchains -A output -d 205.188.140.249 -j REJECT
ipchains -A output -d 205.188.140.185 -j REJECT
ipchains -A output -d 152.163.180.24 -j REJECT
ipchains -A output -d 152.163.180.56 -j REJECT
ipchains -A output -d 64.12.184.25 -j REJECT
ipchains -A output -d 64.12.184.57 -j REJECT
ipchains -A output -d 64.12.184.89 -j REJECT
ipchains -A output -d 64.12.184.121 -j REJECT
ipchains -A input -s 205.188.140.249 -j REJECT
ipchains -A input -s 205.188.140.185 -j REJECT
ipchains -A input -s 152.163.180.24 -j REJECT
ipchains -A input -s 152.163.180.56 -j REJECT
ipchains -A input -s 64.12.184.25 -j REJECT
ipchains -A input -s 64.12.184.57 -j REJECT
ipchains -A input -s 64.12.184.89 -j REJECT
ipchains -A input -s 64.12.184.121 -j REJECT

What is the correct way to convert above ipchains script into iptables scripts? My iptables firewall is as follows:

http://www.linuxguruz.org/iptables/s...rewall_023.txt

I tried with following, but it did not work:

$IPTABLES -N dclick
$IPTABLES -A dclick -p tcp -d 199.95.207.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 199.95.207.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 199.95.208.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 199.95.208.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 208.184.29.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 208.184.29.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 208.211.255.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 208.211.255.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 209.67.38.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 209.67.38.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 204.253.104.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 204.253.104.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 206.65.183.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 206.65.183.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 206.67.38.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 206.67.38.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 208.32.211.0/24 -j REJECT
$IPTABLES -A dclick -p udp -d 208.32.211.0/24 -j REJECT
$IPTABLES -A dclick -p tcp -d 205.138.3.0/24 -j REJECT

Thanks in advance.
 
Old 02-17-2002, 10:48 PM   #2
JimKyle
Member
 
Registered: Dec 2001
Location: Oklahoma City, OK, USA
Distribution: Xubuntu 12.04 LTS
Posts: 156

Rep: Reputation: 18
I don't see any rule that jumps to your new "dclick" rule. It may work, if you add a rule to the sample code you provided the link to that will transfer anything in the FORWARD chain to "dclick" after applying the rules listed in the sample code, and finish off the list of "dclick" rules with an unconditional "j ACCEPT" so that anything that makes it all the way through is accepted.

The reason your ipchains rules don't work with iptables is that there's one major change: forwarded packets no longer go through the INPUT and OUTPUT rule chains. Instead, they only go through the FORWARD chain. INPUT and OUTPUT now process only packets addressed to or from the firewall machine itself.

Hope this helps. The sample code looks seriously overcomplicated to me, but I don't see anything that would keep it from working...
 
Old 02-17-2002, 11:17 PM   #3
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Great, thanks a lot for the tip, it solved my problem. I tried it with INPUT and OUTPUT chain, both didn't work. And I didn't realize the block needs to be specified at FORWARD chain. After I added the following line to the script, it seems working great.

$IPTABLES -A FORWARD -o $EXTIF -j dclick
$IPTABLES -A FORWARD -o $EXTIF -j AOLADS
$IPTABLES -A FORWARD -o $EXTIF -j AOLAIM

Thanks again.
 
Old 02-18-2002, 12:02 AM   #4
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
It appears AOL got more ads servers now, dig ads.web.aol.com shows more than 10 servers:

;; ANSWER SECTION:
ads.web.aol.com. 600 IN A 205.188.165.57
ads.web.aol.com. 600 IN A 205.188.165.89
ads.web.aol.com. 600 IN A 205.188.165.121
ads.web.aol.com. 600 IN A 205.188.165.153
ads.web.aol.com. 600 IN A 205.188.165.185
ads.web.aol.com. 600 IN A 64.12.174.153
ads.web.aol.com. 600 IN A 64.12.174.185
ads.web.aol.com. 600 IN A 64.12.184.25
ads.web.aol.com. 600 IN A 64.12.184.57
ads.web.aol.com. 600 IN A 64.12.184.89
ads.web.aol.com. 600 IN A 64.12.184.121
ads.web.aol.com. 600 IN A 152.163.226.25
ads.web.aol.com. 600 IN A 152.163.226.57
ads.web.aol.com. 600 IN A 152.163.226.89
ads.web.aol.com. 600 IN A 152.163.226.121
ads.web.aol.com. 600 IN A 152.163.226.153
ads.web.aol.com. 600 IN A 152.163.226.185
ads.web.aol.com. 600 IN A 205.188.165.25


what's the simpliest way to stop junk ads coming to my browswer? It seems iptables does not like hostnames in the script, but needs ip address. It gives error I include below into my firewall script.

$IPTABLES -A AOLADS -p tcp -d ads.web.aol.com -j DROP
$IPTABLES -A AOLADS -p udp -d ads.web.aol.com -j DROP

Must I do long script like bellow? Are there any simple ways to block ads?

$IPTABLES -N AOLADS
$IPTABLES -A AOLADS -p tcp -d 205.188.140.249 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.140.249 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.140.185 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.140.185 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.180.24 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.180.24 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.180.56 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.180.56 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.184.25 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.184.25 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.184.57 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.184.57 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.184.89 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.184.89 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.184.121 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.184.121 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.57 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.57 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.89 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.89 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.121 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.121 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.153 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.153 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.185 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.185 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.174.153 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.174.153 -j DROP
$IPTABLES -A AOLADS -p tcp -d 64.12.174.185 -j DROP
$IPTABLES -A AOLADS -p udp -d 64.12.174.185 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.57 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.57 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.25 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.25 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.89 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.89 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.121 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.121 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.153 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.153 -j DROP
$IPTABLES -A AOLADS -p tcp -d 152.163.226.185 -j DROP
$IPTABLES -A AOLADS -p udp -d 152.163.226.185 -j DROP
$IPTABLES -A AOLADS -p tcp -d 205.188.165.25 -j DROP
$IPTABLES -A AOLADS -p udp -d 205.188.165.25 -j DROP

thanks for your feedback/suggestions
 
Old 02-18-2002, 01:28 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,300
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
/* This (type of) question should be in networking, not security. */

You could run a filtering proxy like Squid, junkbuster, webwasher or anything else found on freshmeat.net, or expand your firewall shellscript with something like this:

dig ads.web.aol.com | $FORMAT | while read aolblock1; do
(insert rule here) -s $aolblock1 (insert rule jump here)
done

$FORMAT should be grepping for "ads", grepping out carets and blanks. something like "grep "ads" | grep -v \< | grep -v [[:blank:]]"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
best way to block layer ads in firefox? ylikone Linux - Software 2 04-25-2005 03:56 PM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
Ughhh AOL mail servers suck acid_kewpie General 5 03-04-2004 01:34 PM
Make MozillaFirebird block sites *not popup/ads* GT_Onizuka Linux - Software 4 11-02-2003 03:52 PM
U.S. Preparing to Block AOL-Time Warner Deal jeremy General 0 10-15-2000 01:01 PM


All times are GMT -5. The time now is 09:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration