Filtering Gmail/Facebook/Twitter with IPtables

In most cases port base filtering  is an all or none approach. For example if you want to block  a user from accessing a certain website, blocking that user’s access to port 80/443 outbound will stop them from accessing all websites not just that one. If you would like to get more granular then you would need some sort of  web content filtering systems.

Good news is, if you are still using iptables you are now able to filter traffic destined to sites such as Facebook, Twitter, Gmail etc. You can accomplish this by using iptables to block a given hex string that will appear in the initial packet handshake. I first saw this technique being discussed in a full-disclouser posting and I figured it was worth trying out.

The tools of choice here is Ngrep (Network Grep) and IPTables .

Step one: Capture the X.509 certificate

You will be doing this by using ngrep:

[infolookup@Test ~]# ngrep -d eth2 -q -x ‘Twitter’
interface: eth2 (10.100.0.0/255.255.255.128)
match: Twitter

You will then notice the following output in your terminal:

<snip>

T 199.59.148.11:443 -> 10.100.0.119:38414 [A]

  1. 30 30 31 16 30 14 06 03    55 04 0a 14 0d 54 77 69    001.0…U….Twi
  2. 74 74 65 72 2c 20 49 6e    63 2e 31 1c 30 1a 06 03    tter, Inc.1.0…
  3. 55 04 0b 14 13 54 77 69    74 74 65 72 20 20 4f 70    U….Twitter  Op

</snip>

Step two: Creating your IPtable rule

You will be building your rule based on the hex string obtained above.

Prior to applying the rule I able to run the following command:

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body><h1>Moved Permanently</h1>
<p>The document has moved <a href=”https://twitter.com/”>here</a&gt;.</p>
</body></html>

IPtable rules to use:
http://pastebin.com/1HQD017A

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j DROP

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j LOG

The first rule will drop the connection to twitter and the second rule will log the entry. If you take a look at your /var/log/message you will see the following entry over and over:

Apr  7 00:05:11 Test kernel: [870656.036848] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58494 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

Apr  7 00:05:19 Test kernel: [870664.675930] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58496 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

If you try to access http://www.twitter.com you will get to the site, but when you try login the session will set there and just timeout.

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
curl: (35) SSL connect error

Note:

I was unable to use the following IPtable rule on a Ubuntu based system but it worked fine on my Fedora 14 test box. Also another thing to look out for is if you use too short of a hex string will will get an error the one I used was about 85 characters give or take.

Have fun filtering and post your comments about how you are currently using IPtables.

 

LinuxBasix 034 Podcast segment notes

FWKNOP Tech Segment

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1

Single Packet Authorization

Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).

Steps to take:

Install fwknop Server

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Side note: If you get the following error while loading  “shared libraries: libfko.so.0: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:

# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0

Config files:

Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.

Edit the  fwknop.conf file, and  uncomment and set the options  for your interface “PCAP_INTF eth0”.

Next edit your access.conf file to allow access  based on your liking (users, port, key, etc).

A simple suitable config:

SOURCE: ANY;
KEY: P@$$W0r); //must be over 8 characters
REQUIRE_USERNAME: infolookup;
OPEN_PORTS: tcp/222;
FW_ACCESS_TIMEOUT: 30;

clear out your old IP rules and some default rules to drop all incoming traffic.

IP Tables rule:

#!/bin/sh
# Script to reset your iptable rules

# Load modules for  tracking and NAT
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

# Delete any user-defined chains
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain

# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”

# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”

Start the server with –> # fwknopd -f -vv

Testing rules after configuration:

I tried to ssh to the Ubuntu server via my windows box which is IP 192.168.19.1 on port 22 and as you can see from the below image I was block and it was logged as expected:

Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.

Additional reading:

http://www.cipherdyne.org/fwknop/

http://www.securitygeneration.com/single-packet-authorization/

http://aerokid240.blogspot.com/

http://www.cipherdyne.org/fwknop/download/ –> Windows client