Whitelist with domains that pulls stuff from other domains

Whitelist with domains that pulls stuff from other domains

[Martin Braun]

Hi

I wanted to make a white list using the settings below.

<SNIP>
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT
iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT
iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable
</SNIP>

So the boxes with the MACs specified are exempt from blocking. The
domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other
domains using <iframe> or something, which makes the IPTable block the
loading of the website to complete.

How do I deal with that in the best way? I don't want to look up
everything they pull in and white list that as well. Also it might
change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

Kind regards.

RE: Whitelist with domains that pulls stuff from other domains

[Joel Gerber]

Without getting into great detail, I'm quite sure that the Linux kernel Netfilter code doesn't have any concept of DNS. When you specify a DNS hostname in your rules, it just does an A record lookup and stores the IP address in your rules.

If you want to employ an HTTP whitelist on Linux, I recommend using a Web Proxy server like squid. It will allow you to do application layer filtering which would be much easier to implement, and more likely to work.

Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@corp.eastlink.ca T: 519.786.1241

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Martin Braun
Sent: April-21-14 12:54 AM
To: netfilter@vger.kernel.org
Subject: Whitelist with domains that pulls stuff from other domains

Hi

I wanted to make a white list using the settings below.

<SNIP>
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable </SNIP>

So the boxes with the MACs specified are exempt from blocking. The domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other domains using <iframe> or something, which makes the IPTable block the loading of the website to complete.

How do I deal with that in the best way? I don't want to look up everything they pull in and white list that as well. Also it might change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

Kind regards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Whitelist with domains that pulls stuff from other domains

[Jens Neu]

On 04/21/2014 06:53 AM, Martin Braun wrote:
> Hi
>
> I wanted to make a white list using the settings below.

Have a look at dansguardian:

http://dansguardian.org/?page=whatisdg

regards
Jens