Firewall/bandwidth throtteling, and so on

So i got this wierd assigment at work where appearently a customer has a hardon for network traffic shaping.
He want’s to throttle network traffic which i can handle with tc no problem, with abit of bash and php, but he also want’s to filter stuff like porn, torrents, etc. etc.
anyone got a silver bullet for that one.
from what i’ve read E2Guardian is the place to be but it is a proxy, and sadly means customers has to do actual work in their browser e.g. click 3 buttons.
basically what i need is DNS filtering, and if possible keyword filtering. Without recompiling a whole new kernel with netfilter, without writing 1400 lines long iptables scripts.
any ideas?.

opendns is your friend. create a free account and set it up however you wish. use the opendns servers for your dns needs and block all other dns servers (so your clients have to use it) with your firewall ex: block all traffic on port 53 except opendns servers.
iptables -A INPUT -p udp --dport 53 -s <opendns server 1> -j ACCEPT #adds to top of the INPUT chain
iptables -A INPUT -p udp --dport 53 -s <opendns server 2> -j ACCEPT #adds to top of the INPUT chain
iptables -I INPUT 3 -p udp --dport 53 -s 0.0.0.0 -j DROP #places the rule in the 3rd spot of hte INPUT chain
or something similar , use in whatever custom chains you have to make it work.

1 Like

You can filter domain names with DNS. it’s easy enough to do if you have a list or a service like opendns, but it’s pretty trivial to get around if you know what you’re doing. If you want to do key word filtering you pretty much have to use a proxy, which will be limited to http traffic only (not https which virtually everything uses). There are ways to proxy https but you probably shouldn’t do that in production unless you really know what you’re doing.

There are some other ways to filter https traffic in a limited way but they’re all paid services like untangled and not at all fool proof.

Torrents are not an easy thing to block. The best way, or atleast the most effective way, is to block all outbound ports other than Web and mail and anything else that you need.

this can also be done by using a pfsense machine as a border router, letting it serve up dns and dhcp. just need to block all dns other than opendns in the same manner as the netfilter rules above; if you dont have netfilter compiled in for some reason…and you say its not.

as dexter_kane says limit outbound traffic to http, ftp,ssh, and whatever services you need. block everything else.

Especially UDP, if you don’t want to deal with the headache that can come from blocking everything then just blocking UDP will if not stop torrents from working make it pretty useless.

If the network has active directory then you should be able to push proxy settings by group policy, a strict proxy is probably the best way to limit what websites a user can use. DNS filtering is easy and can be effective, but it’s relatively simple to get around even if you block other DNS servers.

based on

blocking dns would be the way to do this until you can come up with something better.such as a QOS solution that prioritizes say voice traffic , and required sites (needed to do work), ssh and other needed services. deprioritize torrent traffic, “other websites” , and so forth.
users will find ways around you blocking things (like a VPN) until you cut off the internet entirely. even then they may do something like tether their phone or whatever , which you may not be able to stop.
its a game of what do you need vs complexity and cost of doing that.

social engineering may be a better way. they are the company’s computers and not the employees i am guessing and therefore the company may inspect them at any time (subject to local law).

a company policy stating such may be in order
" the computer you are assigned is property of hte company and may not be used for personal reasons ( including but not limited to: personal banking, downloads not in keeping with the job you are assigned, random browsing of websites not related to your job,personal email, etc). the computer you are assigned is subject to monitoring and search as the company deems necessary.
the computer you are assigned may not be tethered to a personal device , except as management allows. "
and so forth

i dont do anything at work other than use the stuff i need to do work. eg:
nothing requiring my personal passwords (like my banking website) ever gets used on the work computer. reason: its their computer, not mine and they may monitor it in many ways such as a keylogger.

1 Like

Came up with kind of a simple yet nifty solution(s).
I tested Opendns, and how it works, and yowsers, that shat’s easy to figure out, i took out like half a day of my calendar to toy around on a sick day. 1 hour later i was like “Ok this is deffinetly it”, i mean it was literally so effective when i put it on max security, i had to turn it off again cause it blocked my work email, due to it having skype embeded(and it blocks social media), and all webpages i threw at it except facebook just got owned, facebook’s sortta wierd i could block it’s chat but not the actual webpage.
besides that tc really saved the day, i mean it took some work to get working, mainly due to bussiness *cough idio… just not know what the hell they were selling e.g. me not know what i was implementing.
but ~60 lines bash script and voila tc locks down a full ip range with traffic shaping, as a “service” on boot.

DNS filtering is quick and easy to implement and cost effective. I was in a similar position - I needed to block porn - we had a few HR issues and blocking porn was the simplest solution.

We went with WebTitan - A really simple solution - easy to configure, easy to filter by category, As well as blocking porn, we also now block a range of different categories - dating sites, gaming, anonymizers etc. We have some organization-wide filters in place (e.g. porn), others are by user group. Its also possible to filter content by keyword, although the category filtering has been sufficient for our needs.