FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-13-2008, 09:36 PM
pk
 
Default Trying to block third party ip address with iptables...

Hello,

I am using shorewall on my local computer (the same I'm surfing the web
with). My skills with iptables are not really good and my understanding
of networking also has some holes in it... However, I'm trying to
prevent firefox from accessing a third party site; I'm logging onto a
site with firefox. With netstat I can see that besides the usual ip
address belonging to the site another ip-address (not belonging to the
original site) shows up. While trying to block the additional ip address
with both "iptables -A INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d
xxxx -j DROP" it still sends a SYN request to this site. This makes
firefox just sit there waiting for a time-out. How can I prevent firefox
from accessing the other site, while still accessing the original one?


Best regards

Peter K
 
Old 09-13-2008, 09:44 PM
Dale
 
Default Trying to block third party ip address with iptables...

pk wrote:

Hello,

I am using shorewall on my local computer (the same I'm surfing the
web with). My skills with iptables are not really good and my
understanding of networking also has some holes in it... However, I'm
trying to prevent firefox from accessing a third party site; I'm
logging onto a site with firefox. With netstat I can see that besides
the usual ip address belonging to the site another ip-address (not
belonging to the original site) shows up. While trying to block the
additional ip address with both "iptables -A INPUT -s xxxx -j DROP"
and "iptables -A OUTPUT -d xxxx -j DROP" it still sends a SYN request
to this site. This makes firefox just sit there waiting for a
time-out. How can I prevent firefox from accessing the other site,
while still accessing the original one?


Best regards

Peter K




Would adblock work for this? Just block the address you don't want it
to access.


Dale

:-) :-)
 
Old 09-13-2008, 09:57 PM
"Raptor"
 
Default Trying to block third party ip address with iptables...

> Hello,
>
> I am using shorewall on my local computer (the same I'm surfing the web
> with). My skills with iptables are not really good and my understanding
> of networking also has some holes in it... However, I'm trying to
> prevent firefox from accessing a third party site; I'm logging onto a
> site with firefox. With netstat I can see that besides the usual ip
> address belonging to the site another ip-address (not belonging to the
> original site) shows up. While trying to block the additional ip address
> with both "iptables -A INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d
> xxxx -j DROP" it still sends a SYN request to this site. This makes
> firefox just sit there waiting for a time-out. How can I prevent firefox
> from accessing the other site, while still accessing the original one?
>
> Best regards
>
> Peter K
>
>
Couldn't you use squid as a proxy and squidguard for filtering the site
you want to access or block?
As an example if you access a web site which have link to advertisement
third party site, you could use squiguard to block the ad and let you
browse the content of the original website.

I know this approach doesn't use iptables but perhaps it could help you...


--
http://www.drakonix.fr
 
Old 09-14-2008, 08:28 AM
Alan McKinnon
 
Default Trying to block third party ip address with iptables...

On Saturday 13 September 2008 23:36:13 pk wrote:
> Hello,
>
> I am using shorewall on my local computer (the same I'm surfing the web
> with). My skills with iptables are not really good and my understanding
> of networking also has some holes in it... However, I'm trying to
> prevent firefox from accessing a third party site; I'm logging onto a
> site with firefox. With netstat I can see that besides the usual ip
> address belonging to the site another ip-address (not belonging to the
> original site) shows up. While trying to block the additional ip address
> with both "iptables -A INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d
> xxxx -j DROP" it still sends a SYN request to this site. This makes
> firefox just sit there waiting for a time-out. How can I prevent firefox
> from accessing the other site, while still accessing the original one?

That's always going to be problematic. Firefox does not know that you have
firewalled that address, so will continue doing exactly what it always did -
send a SYN and wait for the response.

So you'll need to tell Firefox that that IP is banned, in which case you don't
need iptables, you need a Firefox plug-in. Go to mozilla's site and find
something appropriate. I'll bet there's one already and it's probably called
SiteBlock



--
alan dot mckinnon at gmail dot com
 
Old 09-14-2008, 08:43 AM
pk
 
Default Trying to block third party ip address with iptables...

Alan McKinnon wrote:

That's always going to be problematic. Firefox does not know that you have
firewalled that address, so will continue doing exactly what it always did -
send a SYN and wait for the response.


So you'll need to tell Firefox that that IP is banned, in which case you don't
need iptables, you need a Firefox plug-in. Go to mozilla's site and find
something appropriate. I'll bet there's one already and it's probably called
SiteBlock


Ok, I suspected as much. Yep, there's a extension called Siteblock. Just
downloaded it and will try it. Thanks to all who replied!


Best regards

Peter K
 
Old 09-14-2008, 08:46 AM
Tony Stohne
 
Default Trying to block third party ip address with iptables...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On Saturday 13 September 2008 23:36:13 pk wrote:
> Hello,
>
> I am using shorewall on my local computer (the same I'm surfing the web
> ...
> original site) shows up. While trying to block the additional ip address
> with both "iptables -A INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d
> xxxx -j DROP" it still sends a SYN request to this site. This makes
> firefox just sit there waiting for a time-out. How can I prevent firefox
> from accessing the other site, while still accessing the original one?
>

HTTP requests are sent over TCP, so try a REJECT with TCP reset instead.
Something like this should do the trick, since the connection would be reset
more or less instantly avoiding the timeout:

iptables -A INPUT -s xxxx -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s xxxx -p tcp -j REJECT --reject-with tcp-reset

Regards

//Tony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIzM9mJDzv6DN+QUkRAuQUAJ9ddYprAGKNHHSHvyTugu 0HkKmB6gCgv87O
IKaE8FG5B8RVSrNPFVYCpyg=
=PKLJ
-----END PGP SIGNATURE-----
 
Old 09-14-2008, 09:07 AM
Dale
 
Default Trying to block third party ip address with iptables...

Alan McKinnon wrote:

On Saturday 13 September 2008 23:36:13 pk wrote:


Hello,

I am using shorewall on my local computer (the same I'm surfing the web
with). My skills with iptables are not really good and my understanding
of networking also has some holes in it... However, I'm trying to
prevent firefox from accessing a third party site; I'm logging onto a
site with firefox. With netstat I can see that besides the usual ip
address belonging to the site another ip-address (not belonging to the
original site) shows up. While trying to block the additional ip address
with both "iptables -A INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d
xxxx -j DROP" it still sends a SYN request to this site. This makes
firefox just sit there waiting for a time-out. How can I prevent firefox
from accessing the other site, while still accessing the original one?



That's always going to be problematic. Firefox does not know that you have
firewalled that address, so will continue doing exactly what it always did -
send a SYN and wait for the response.


So you'll need to tell Firefox that that IP is banned, in which case you don't
need iptables, you need a Firefox plug-in. Go to mozilla's site and find
something appropriate. I'll bet there's one already and it's probably called
SiteBlock





Wouldn't adblock do the same thing? To block say all of google, he
could block this: *.google.com/* Nothing google should come through.
At least that is how I do it here with Seamonkey.


Just curious.

Dale

:-) :-)
 
Old 09-14-2008, 10:29 AM
Neil Bothwick
 
Default Trying to block third party ip address with iptables...

On Sun, 14 Sep 2008 11:04:47 +0200, pk wrote:

> That was the intention. The site in question is my banks site. And they
> have a marketing survey company linked to their site which I want to
> hide from. If I want to use the banks internet services, which I pay
> for, I don't want third parties to snoop on my activities...

Is the link to a domain name or an IP address. If the former, put the
domanin ame in /etc/hosts, pointing to 127.0.0.1.


--
Neil Bothwick

Programmer (n): A red-eyed, mumbling mammal capable of conversing
with inanimate objects.
 
Old 09-15-2008, 06:15 PM
pk
 
Default Trying to block third party ip address with iptables...

Grant Edwards wrote:

OK. Now that we know the real problem, we can give you the real solution.

Change your bank.


And write polite letter to a couple bank executives (yes, on
paper, in an envelope, with a stamp on it) explaining why. It
won't take very many such letters before they straighten things
out. Don't bother complaining via e-mail. It'll only be seen
by some poor wage-slave who doesn't care and couldn't do
anything about it if he did. Telephoning will probably be even
less useful (unless you want to know what the weather is like
in Mumbai or Bangalore).


I'm not kidding, you shouldn't have to put up with that shit.


Not at all.


Good advice. I'll try to find some time for examining my options.
Unfortunately, from what I can gather, my current bank has one of the
best options in the country (Sweden). The rest of the bunch are mostly
running Windows servers (acc. to Netcraft) or have really bad
Windows-centric solutions or poor security like one-time use tickets.
Yes, it's really that bad...


Thanks again!

Best regards

Peter K
 
Old 09-15-2008, 10:59 PM
Dale
 
Default Trying to block third party ip address with iptables...

pk wrote:
The rest of the bunch are mostly running Windows servers (acc. to
Netcraft) or have really bad Windows-centric solutions or poor
security like one-time use tickets. Yes, it's really that bad...


Thanks again!

Best regards

Peter K




My bank runs windoze too. I talked to a techie a couple times and he
said they are running themselves to death. Any American banks that run
Linux?


Dale

:-) :-)
 

Thread Tools




All times are GMT. The time now is 05:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org