0

I'm trying to block Google Feud on a Firewall/Proxy (Transparent Mode), but it seems a difficult task to accomplish..

I have some configurations for this task:

  • ACL rules, blocking the access to the domain *.googlefeud.com and blocking the string googlefeud, on every requested URI
  • Firewall rules, blocking the IP addresses related with the DNS www.googlefeud.com, configured directly on themangle table (although this is not right, to drop packets on this table)

With this configuration, I just wanted to make sure that any packet with this destination, would not reach squid, at all, as matter of reinforcement.

DNS

$ dig +short www.googlefeud.com
104.27.190.2
104.27.191.2

IPTABLES

-A PREROUTING -d 104.27.190.2 -j DROP
-A PREROUTING -d 104.27.191.2 -j DROP


When using a web browser:

  • Non Private Navigation: the request is performed and the page is loaded (you can even play Google Feud normally)
  • Private Navigation: the page is not loaded and the web browser reports that it was not possible to attend the request (IPTABLES rules doing their work)

The situation is very similar, If I remove the IPTABLES rules (just letting Squid do its job):

  • Non Private Navigation: the request is performed and the page is loaded (you can even play Google Feud normally)
  • Private Navigation: the error page from Squid is loaded, informing that it was not possible to attend the request, due to restrictions configured on the Proxy for this content


And here's the page loaded, on Non Private Navigation.

Neither iptables nor squid have blocked the requests.

enter image description here

On tcpdump, seems that the traffic for both IP addresses, is flowing normally too. 

192.168.0.12.58340 > 104.27.191.2.http: Flags [S], cksum 0xc989 (correct), seq 3360743156, win 29200, options [mss 1460,sackOK,TS val 5871808 ecr 0,nop,wscale 7], length 0
192.168.0.12.58342 > 104.27.191.2.http: Flags [S], cksum 0xb75a (correct), seq 2588221213, win 29200, options [mss 1460,sackOK,TS val 5871824 ecr 0,nop,wscale 7], length 0
192.168.0.12.58344 > 104.27.191.2.http: Flags [S], cksum 0xbb88 (correct), seq 1534482860, win 29200, options [mss 1460,sackOK,TS val 5871840 ecr 0,nop,wscale 7], length 0
192.168.0.12.58346 > 104.27.191.2.http: Flags [S], cksum 0x1e70 (correct), seq 1830937879, win 29200, options [mss 1460,sackOK,TS val 5871840 ecr 0,nop,wscale 7], length 0
192.168.0.12.58348 > 104.27.191.2.http: Flags [S], cksum 0x0ccc (correct), seq 4159269793, win 29200, options [mss 1460,sackOK,TS val 5871920 ecr 0,nop,wscale 7], length 0
192.168.0.12.56568 > 104.27.190.2.http: Flags [S], cksum 0x8bd9 (correct), seq 1399822194, win 29200, options [mss 1460,sackOK,TS val 5872320 ecr 0,nop,wscale 7], length 0
  • How could that be possible, with such rules configured at the mangle table (before nat and filter), blocking these IPs? I have tried to block these addresses at the filter table, and it didn't worked. That I why I decided to move the rules to mangle table.


It seems that there's something tricky regarding the Browser not being in Private Mode.

I observed that googlefeud.com stores two cookies but I have to admit that I don't have any idea if these cookies are causing any impact in not this situation:

enter image description here enter image description here

This situation is really weird. I'm really curious about, how this could be possible...

Any help in this challenge, is much appreciated.

ivanleoncz
  • 1,643
  • 6
  • 19
  • 32
  • 1
    That tcpdump output does not show "normal" traffic. It shows repeated SYN requests, what you would expect when the outgoing traffic is being dropped. There was no response from the other end. As for squid, you haven't shown anything in the squid configuration, so we can't really be sure that that's configured correctly. – Michael Hampton Apr 11 '18 at 21:34
  • 1
    The page is loaded, when navigating with a browser on Non Private Navigation mode. If I remove the IPTABLES rules, the traffic hits the Proxy, and I have experimented this, by using Private Navigation (as well) and Squid error page informed me that request to the site has been blocked by it. So, at a first glance, without observing the configuration file, Squid is doing its job. Do you have any idea about, how a web browser in Non Private Navigation, could bypass Firewall and Proxy rules, for this specific case? – ivanleoncz Apr 11 '18 at 22:49
  • 1
    It doesn’t and it isn’t bypassing it and you haven’t provided any evidence that it is. In fact you have provided evidence to the contrary with your tcpdump output. Clear your browser cache. – Appleoddity Apr 12 '18 at 04:59
  • You were right about "clear your browser cache": thank you very much, for pointing something so important :). And sorry, you're wrong about "It doesn’t", 'cause, indeed, with a cache present on the browser, I was able to load the page (cache) and playing Google Feud normally (?). How the cache was influencing this, although with the presence of very strict firewall rules (at the `mangle` table) preventing traffic to reach `squid`, also with rules for blocking the access `googlefeud.com`? Well, it's a mystery. Can you please post your comment "clear your browser cache" as an answer :)? – ivanleoncz Apr 12 '18 at 15:28

0 Answers0