GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → luigi1809 → webfilter-ng

luigi1809 / webfilter-ng

Licence: LGPL-3.0 license
Transparent HTTP/HTTPS/TLS web filter

Programming Languages

c
50402 projects - #5 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

iptablesad-blockerad-blocksquidguardsniweb-filteringwebfiltermalware-blockfiltering-dnswebfilter-ngtransparent-https-filteringfamily-filterdns-categorify

Projects that are alternatives of or similar to webfilter-ng

Block
Let's make an annoyance free, better open internet, altogether!
Stars: ✭ 1,849 (+6275.86%)
Mutual labels:  ad-blocker, ad-block
pornhosts
Pornhosts a hosts-file formatted file of the RPZ zone file
Stars: ✭ 33 (+13.79%)
Mutual labels:  ad-blocker, ad-block
docker-dns-ad-blocker
A lightweight dnsmasq DNS server to block traffic to known ad servers with optional DNSCrypt support. Supports x86_64 and Raspberry Pi (armhf).
Stars: ✭ 78 (+168.97%)
Mutual labels:  ad-blocker, ad-block
PiHole
This contains an ever-growing list of domains to be blocked using the Pi-Hole ad-blocker.
Stars: ✭ 56 (+93.1%)
Mutual labels:  ad-blocker, ad-block
adaway-linux
a small script to add domains hosting ads to the hosts file to block them. **DEPRECATED** Use Adsorber instead.
Stars: ✭ 41 (+41.38%)
Mutual labels:  ad-blocker
AdClear-Open-Source-Issue-Tracker
Open Source Issue Tracker for AdClear non-root ad blocker for Android
Stars: ✭ 101 (+248.28%)
Mutual labels:  ad-blocker
go-ipset
🔥 Go bindings for the IPtables ipset http://ipset.netfilter.org userspace utility
Stars: ✭ 110 (+279.31%)
Mutual labels:  iptables
xt NAT
Full Cone NAT module for Linux iptables
Stars: ✭ 65 (+124.14%)
Mutual labels:  iptables
ipt xor
iptables xor module
Stars: ✭ 15 (-48.28%)
Mutual labels:  iptables
Linux-System-Management-Scripts-Tricks
Linux Security & Linux Hardening & Linux Management & Linux Configuration
Stars: ✭ 70 (+141.38%)
Mutual labels:  iptables
hev-socks5-tproxy
A simple, lightweight socks5 transparent proxy for Linux. (IPv4/IPv6/TCP/UDP over TCP)
Stars: ✭ 209 (+620.69%)
Mutual labels:  iptables
sillyproxy
SillyProxy - Dynamic SNI based TLS proxy for terminating TLS (>=1.1) HTTP connections to multiple domains.
Stars: ✭ 19 (-34.48%)
Mutual labels:  sni
adblock-unbound
Build script to block ads for unbound
Stars: ✭ 32 (+10.34%)
Mutual labels:  ad-blocker
droplan
Manage iptable rules for the private interface on DigitalOcean droplets
Stars: ✭ 69 (+137.93%)
Mutual labels:  iptables
blackip
IP Blocklist for Ipset / Squid-Cache
Stars: ✭ 81 (+179.31%)
Mutual labels:  iptables
nDPI
Open Source Deep Packet Inspection Software Toolkit
Stars: ✭ 92 (+217.24%)
Mutual labels:  iptables
ddos-mitigation
Tips to mitigate and secure your large-scale server against DDoS attacks.
Stars: ✭ 58 (+100%)
Mutual labels:  iptables
etv-comskip
Commercial Marking and Skipping for EyeTV and iTunes Exports
Stars: ✭ 48 (+65.52%)
Mutual labels:  ad-blocker
docker-nfqueue-scapy
Docker container for intercepting packets with scapy from a netfilter queue (nfqueue)
Stars: ✭ 78 (+168.97%)
Mutual labels:  iptables
awall
[MIRROR] Alpine firewall configuration tool
Stars: ✭ 37 (+27.59%)
Mutual labels:  iptables
View All Similar Projects ➔

build

webfilter-ng

Transparent Web Filtering for Linux (standalone computer or router/internet gateway)

What does it do?

Filter http(s) web acess based on domain name in the request (basically Host field in http or SNI in https).

Main advantages of webfilter-ng is

Compared to squid + squidGuard :

  • Https trafic does not need to be decrypted to be filtered. No need to install root certificates on client computers.
  • Filtering is transparent (not possible with squid). No need to set up proxy settings on clients.
  • Filtering of http or https TLS trafic does not depends on TCP port (supported in Squid version 4 only). Useful for example for application that use TLS on TCP port 80.

Compared to classic DNS filtering :

  • webfilter-ng works well with modern web browser that integrates encrypted DNS with DoH. Classic DNS filtering solution does not work anymore with such new browsers as DNS in operating system global settings is not used for web browsing.
  • Also trying to bypass the filtering by implementing other DNS local host files or any kind of encrypted DNS (DoH - DNS over HTTPS, DoT - DNS over TLS...) is not possible with webfilter-ng

Four options of usage

  • filtering based on squidGuard (deprecated)
  • filtering based on public dns filtering solution (recommanded over squidGuard option)
  • filtering based on public dns filtering solution + categorify.org API (recommanded over squidGuard option)
  • filtering based on whitelist or blacklist

How does it work ?

Webfilter-ng reads for :

  • unencrypted HTTP Host field as well as the URI that is requested (URI is useful for squidGuard and not for solution based on public dns filtering solution)
  • for TLS connections including HTTPS, it reads the SNI field in TLS client Hello. All modern browsers sends the SNI extension in the client Hello. Very old browser does not but they are almost not anymore capable of provide a correct browsing experience. New TLS 1.3 is supported as it still haves unencrypted SNI. Connection is dropped when SNI is encrypted (draft standard).

SquidGuard filtering

It filters access to websites based on a working installation of squidguard. No need to install squid and configure proxy settings on network computer.

Warning : DNS filtering is recommanded as it does not require maintaining update of squidguard lists. Anyway be careful of the quality of the squidguard list you choose.

DNS filtering

  • Use a DNS filtering service - a good one is Cleanbrowsing DNS
  • DNS usually allows the conversion of domain name (i.e. google.fr) to internet IP address (i.e 172.217.18.195)
  • In case an unwanted domain is requested, this kind of DNS replies with a fake IP that did not allow access to the domain website.
  • webfilter-ng checks that the DNS filtering service is properly used (protects against bypass of the filter : usage of a non-filtering DNS, local hosts file, usage encrypted DNS, such as DoT or DoH.
  • To do so it compares the IP requested for a website against all the possible IPs provided by the DNS filtering service for the website domain
  • If they do not match, the request is blocked.

For a router/gateway (best option as it will protect all machines behind the gateway), it is mandatory to use a local (i.e. on the routeur/gateway) dns resolver such as bind9 and distribute dns setting with a dhcp server. webfilter-ng will read the dns cache of bind9, which is more performant. It is also ensure that webfilter-ng reads IPs that was offered to the computer by DNS, which could avoid blocking non-unwanted content by mistake.

DNS filtering + API categorify.org

categorify.org (by cleanbrowsing) is a free API to categorize websites content. It uses a keyword based artificial intelligence algorithm.

This option uses advantages of DNS filtering and categorify.org increases filtering reliability. Since categorify.org seems to limit the number of requests per day, API filtering would not be sufficient.

Current implementation only add reliability to adult content filtering.

Enforce usage of safe search on search engines (Bing, Google)

Additionally on a router/gateway, you might want to enforce user to use safe version of search engines, which filter unwanted results and images.

To do so, it is recommanded to install bind9 rpz zone and distribute dns setting with a dhcp server. See working bind9 configuration in bind directory.

See : https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing and https://www.cwssoft.com/?p=1577

You can also deny access to search engines that does not offer the possibility to enforce safe search by this method (yandex, etc...). To do so, add some fake entries to db.rpz : yandex.com A 127.0.0.1

Whitelist / blacklist filtering

  • Whitelist : allow access to websites that are on the whitelist. All others are denied.
  • Blacklist : deny access to websites that are on the blacklist. All others are permitted.

Requirements

Debian/Ubuntu

sudo apt install build-essential git dnsutils iptables iptables-persistent netfilter-persistent libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Reply "no" if it asks you to save current ipv4/ipv6 rules.

Installation

cd /tmp/
git clone https://github.com/luigi1809/webfilter-ng.git
cd webfilter-ng
make

For filtering based on dns (default)

This option requires that a local dns resolver with cache such as bind9 dns is installed and distributed by dhcp on your local network. Otherwise, if installed on a computer, bind9 should be locally installed and set as the dns resolver.

For a bind9 installation. Make sure it listens on 127.0.0.1

sudo apt-get install bind9

and make dns

For filtering based on dns + categorify.org API

/!\ This option is only available for gateway filtering (not standalone linux computer).

Install local dns resolver - see for filtering based on dns

sudo apt-get install nghttp2 redis-server jq

cp -p /etc/nghttpx/nghttpx.conf /etc/nghttpx/nghttpx.conf.save

cat>/etc/nghttpx/nghttpx.conf <<\EOF
frontend=127.0.0.1,3000;no-tls
backend=categorify.org,443;;tls
errorlog-syslog=no
backend-keep-alive-timeout=300
#insecure=yes
workers=1
EOF

# or old configuration file for ubuntu xenial
cat>/etc/nghttpx/nghttpx.conf <<\EOF
frontend=127.0.0.1,3000
backend=categorify.org,443
frontend-no-tls=yes
backend-no-tls=no
errorlog-syslog=yes
#insecure=yes
backend-keep-alive-timeout=300
http2-bridge=yes
workers=1
EOF

# nghttpx is used to keep an opened HTTP2 session to categorify.org
# it speeds up the queries to the API

systemctl restart nghttpx.service
systemctl enable nghttpx.service

PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1)
mkdir /etc/webfilter-ng
echo $PASSWORD>/etc/webfilter-ng/redis-password
chmod 600 /etc/webfilter-ng/redis-password
systemctl restart redis-server.service
systemctl enable redis-server.service
redis-cli CONFIG SET requirepass $PASSWORD

make dns_categorify

make install

For filtering based on squidGuard

make squidguard

make install

For filtering based on whitelist / blacklist

make list

make install

Create whitelist or blacklist file in /etc/webfilter-ng/ . Note that whitelist and blacklist files cannot be used at the same time.

/etc/webfilter-ng/blacklist or /etc/webfilter-ng/whitelist

and add one domain per line. Do not add url such https://domain.com or https://domain.com/page.html. Examples :

www.facebook.com
*facebook.com
*.facebook.com

For all options, set up lists

On a router/gateway that filters trafic (LANINTF is the internal interface - eth0...):

iptables -A FORWARD -i LANINTF -o LANINTF -p tcp -j ACCEPT
#Google-QUIC protocol is a work-in-progress protocol that is used by Google for their websites. 
#It is currently recognized by webfilter-ng but future evolution of the protocol might break the support.
#IETF standard QUIC protocol, which is different from Google-QUIC, is currently not filtered.
#Use the following if you want to test support for Google-QUIC and leave IETF-QUIC unfiltered :
#iptables -A FORWARD -i LANINTF -p udp -m udp -j NFQUEUE --queue-num 200
iptables -A OUTPUT -p udp -m udp --dport 443 -j DROP
iptables -A FORWARD -i LANINTF -p tcp -m tcp -j NFQUEUE --queue-num 200
iptables-save > /etc/iptables/rules.v4
systemctl start netfilter-persistent.service
systemctl enable netfilter-persistent.service

Add the following if you use dns based filtering to redirect all dns requests to you router dns resolver. IP_OF_LANINTF is the IP of LANINTF. Otherwise, usage of specific dns settings (not learnt by DHCP) on client would drop majority of traffic.

iptables -t nat -A PREROUTING -i LANINTF -p udp -m udp --dport 53 -j DNAT --to-destination IP_OF_LANINTF
iptables-save > /etc/iptables/rules.v4
systemctl restart netfilter-persistent.service

On a linux computer (not a router/gateway) :

#Google-QUIC protocol support is experimemental. Use the following if you want to test it :
#iptables -A OUTPUT -p udp -m udp --dport 443 -j NFQUEUE --queue-num 200
iptables -A OUTPUT -p udp -m udp --dport 443 -j DROP
iptables -A OUTPUT -p tcp -j NFQUEUE --queue-num 200
iptables-save > /etc/iptables/rules.v4
systemctl start netfilter-persistent.service
systemctl enable netfilter-persistent.service

Add the following if you use dns based filtering to redirect all dns requests to you local dns resolver. EXTERNAL_DNS_IP is the IP of external dns configured in dns server. Otherwise, usage of specific dns settings (not learnt by DHCP) on client would drop majority of traffic.

iptables -t nat -A OUTPUT -d EXTERNAL_DNS_IP -p udp -m udp --dport 53 -j DNAT --to-destination EXTERNAL_DNS_IP
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables-save > /etc/iptables/rules.v4
systemctl restart netfilter-persistent.service

On a linux computer or router, make sure to disable IPv6 as it is not yet supported.

ip6tables -I FORWARD -i LANINTF -j REJECT
ip6tables-save > /etc/iptables/rules.v6
systemctl restart netfilter-persistent.service

Logs

Logs are available at : /var/log/webfilter-ng

Testing

It is recommanded to test installation with a command line tool to avoid getting malware or seeing unwanted content : curl -v -L http://something.com

Work inspired by

Thank you to the people that worked on the following project :

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].