LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-28-2005, 09:48 AM   #1
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
firewall for privacy


Hi!

I would like to setup iptables to block IP net blocks belonging to advertising firms. Now I need some info of what kind of block should I use? Should I just DROP? or use REJECT? Or DROP if traffic is from advert firms IPs and REJECT if heading to adver firms IP.

How would this effect web browsing? Would I be bombarded with error messages instead of adverts?

Will there be an advantage if I use host.deny?

There is this article http://www.ecst.csuchico.edu/~atman/spam/adblock.shtml who redirect advert server address to local host add (127.0.0.1) using /etc/hosts. But if I want to protect multiple machine (different OSes) would be kinda multiple work for me.

Thanks in advance.

Last edited by carboncopy; 01-28-2005 at 09:52 AM.
 
Old 01-28-2005, 10:13 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i suggest you DON'T try and do this using iptables... have you looked into using a filter??

i think you might like privoxy:

http://www.privoxy.org/


Last edited by win32sux; 01-28-2005 at 10:18 AM.
 
Old 01-28-2005, 11:37 AM   #3
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Original Poster
Rep: Reputation: 45
Am not a fan of using proxy

Anybody, with experience on this?
 
Old 01-28-2005, 11:51 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
well if you really wanna do it with iptables you could simply create a reference in your iptables script to a text file containing the IP netblocks you wanna filter... or you could manually put them in your script... none of these methods will be very effective, though...

wheather you use DROP or REJECT is really up to you, the site will be blocked either way... except of course with REJECT a reply will be sent to the host initiating the request...

you need to be very careful should you choose to do this filtering with iptables: the ad server netblocks will vary, and also there might be non-ad servers in a netblock you filter...

content filtering is the best way to block ads, IMHO... but you don't like proxies, and it seems like you like the idea of making your own blacklists, so maybe the /etc/hosts thing is the best option for you: yes, you can do DNS blocking for the whole network using the /etc/hosts file on your gateway if you want... just use a daemon like dnsmasq which will look at /etc/hosts, then do the usual 127.0.0.1 (or whatever IP you want) routine... it's very easy...

hosts on the lan making a dns request to the dns daemon for an ad host will be fed 127.0.0.1 (or whatever) as the address, so it'll be like doing the /etc/hosts thing on every machine, except you only have to do it on one... this way has the benefit that you won't need to touch iptables and the ad sites will be blocked even if the IPs change...

good luck...

Last edited by win32sux; 01-28-2005 at 12:37 PM.
 
Old 01-28-2005, 01:37 PM   #5
ironwalker
Member
 
Registered: Feb 2003
Location: 1st hop-NYC/NewJersey shore,north....2nd hop-upstate....3rd hop-texas...4th hop-southdakota(sturgis)...5th hop-san diego.....6th hop-atlantic ocean! Final hop-resting in dreamland dreamwalking and meeting new people from past lives...gd' night.
Distribution: Siduction, the only way to do Debian Unstable
Posts: 506

Rep: Reputation: Disabled
Easier to use adblock in firefox.Some ad agencies use outside datacenters to host servers....same ipblock as say maybe a legit site.Blocking a whole block is asking for trouble.
I do use some block lists but......i dont update them anymore....soon id have to block the entire internet

just my 2cents
 
Old 01-28-2005, 01:39 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by ironwalker
Easier to use adblock in firefox.
not when you have TONS of computers on a LAN...

=)
 
Old 01-28-2005, 09:44 PM   #7
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Original Poster
Rep: Reputation: 45
Adblock in firefox don't block cookies. I know I can specify which domain or IP to block them. It is really too much hassle EVEN on ONE machine. And, it doesn't solve the problem once users use other browsers such as Mozilla, Safari, "you must be nuts to use IE", Opera, etc.

Over the night sleep, pivoxy suggested by win32sux seems more attractive now. Will give it a try, so don't accuse me of not trying and be bias.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
linux privacy NCC-1701&NCC-1701-D Linux - Security 1 06-03-2005 09:43 AM
ethics privacy and tcp_wrappers 98steve600 Linux - General 1 03-28-2005 05:03 AM
Linux privacy Jay Smith Linux - Newbie 3 08-29-2004 01:01 PM
privacy issues santasballz Linux - Newbie 1 03-17-2004 12:40 PM
ethics, privacy, and tcp_wrappers 98steve600 Linux - Security 1 01-13-2001 10:37 PM


All times are GMT -5. The time now is 03:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration