The nfblocker utility is a blacklist based network traffic filter
for iptables via libnetfilter-queue. It applies to HTTP and SSL
traffic for recognizing and dropping packets that are directed to
blacklisted domain names.
Operationally nfblocker depends on the libnetfilter-queue-dev and
iptables packages, and for building, you'll also need a C build
environment including make.
The blacklist format is that of squidblacklist.org, which you'll need to acquire separately.
nfblocker is distributed in a tar file, which should be unpacked at
its future residence; e.g., as /usr/local/src/nfblocker-1.0.0. Then
cd into that directory and type:
# make
This will build the binary filter, and install the control script as
/usr/local/sbin/nfblocker.sh. Edit the Makefile to install
elsewhere.
The residence has a directory acl that is intended to hold all
available access control lists, and a directory blocked that should
be set up with links to the access control list files to use. For
example:
# ( cd blocked && ln -s ../acl/youtube-google-videos.acl )
That command will set up youtube-google-videos.acl to be an included
blacklist. Do the opposite to remove; for example:
# rm blocked/youtube-google-videos.acl
The nfblocker is started with the following command:
# nfblocker.sh start
With the start argument, the script adds appropriate iptables
rules to use direct certain traffic to net-filter queue 99, and it
starts a background process fot that filtering.
# nfblocker.sh reload
With the reload argument, the control script stops and restarts the
filter without changing iptables rules.
# nfblocker.sh stop
With the stop argument, the control script removes the iptables
rules and terminates the filtering process.
The filtering uses the given lists of domain names for rejecting packets. It recognizes HTTP message headers and SSL certificate requests, from where it picks out the targeted domain name. If that name is blacklised or in a blacklisted domain, then the packet is rejected.
The filtering also uses a fixed size decision cache, so that subsequent decisions for the same target can be made quickly.