Blocking iPlayer
in [UK Linux]
|
From: Chris on 11 Nov 2009 09:10 Folderol wrote: > On Tue, 10 Nov 2009 19:27:44 +0100 > Tony van der Hoff <tony(a)nospam.vanderhoff.org> wrote: > >> Martin wrote: >> > On Tue, 10 Nov 2009 00:22:48 +0000, Whiskers >> > <catwheezel(a)operamail.com> wrote: >> > >> >> On 2009-11-09, Simon J. Rowe <srowe(a)mose.org.uk> wrote: >> >>> My darling children are very good at burning my 20Gb bandwidth >> >>> limit in a week. I've dealt with youtube by redirecting >> >>> youtube.com in my DNS cache but iPlayer is proving more >> >>> difficult. >> >>> >> >>> Anyone got a suggestion how I can limit access? >> >>> Simon >> >> Add http://www.bbc.co.uk/iplayer/ to your hosts file or >> >> firewall or your router's 'block' settings? >> > >> > or get a non UK IP address and the BBC will do the rest. >> >> This seems to me a most extraordinary thread. >> >> How about explaining the situation to your kids, and instructing >> them not to use iPlayer unless you're monitoring them? > > Very much my thoughts. > > Somehow, when my father told us kids not to do something we knew > that we'd better not do it! Plus, charging them for the excess bandwidth costs. If they're old enough to have pocket-money etc. -- The email address is a spam trap. I rarely use it.
From: Darren Salt on 11 Nov 2009 12:47 I demand that Chris Davies may or may not have written... > Geoffrey Clements <geoffrey.clementsNO(a)spambaesystems.com> wrote: >> I remember looking into this a few years back and the combination of >> squid and dansguardian looked promising. > Yes, it would work. >> However I was never sure how I would stop squid from being redirected to >> itself. > It gets rather complicated if you have the browser on the same machine as > squid. The ideal situation is that your browser on a PC (somewhere) is > required to use a web proxy on your bastion server. The bastion trusts > itself but blocks all 80/443 traffic from any other device. Something like this would do (in general): iptables -t mangle -N tproxy # Catch outgoing connections on 80/tcp (network, unless from ppp0) iptables -t mangle -A PREROUTING ! -i ppp0 -p tcp --syn --dport 80 -j tproxy # Users whose HTTP traffic should not be proxied iptables -t mangle -A OUTPUT -m owner --uid-owner $(id -u proxy) -j RETURN # already proxied # Catch new outgoing connections on 80/tcp (this host) iptables -t mangle -A OUTPUT -p tcp --syn --dport 80 -j tproxy # Destinations for which HTTP traffic should not be proxied # iptables -t mangle -A tproxy -d 127.0.0.0/8 -j RETURN # Anything which gets this far is to be proxied iptables -t mangle -A tproxy -j MARK --set-mark=1 # Send to the proxy iptables -t nat -A PREROUTING -m mark -p tcp --mark 1 -j REDIRECT --to-ports 3128 iptables -t nat -A OUTPUT -m mark -p tcp --mark 1 -j REDIRECT --to-ports 3128 >> The other problem is that *I* don't want to use the proxy and AFAIK >> there's no way to identify users in iptables. > If you're running the browser on the bastion box itself, there's > --uid-owner and --gid-owner, but I have a feeling they are deprecated. That would be silly: you need to be able to avoid self-proxying the proxy. [snip] -- | Darren Salt | linux at youmustbejoking | nr. Ashington, | Doon | using Debian GNU/Linux | or ds ,demon,co,uk | Northumberland | Army | + http://www.xine-project.org/ Never ask a question unless the answer makes a difference.
From: Geoff Clements on 11 Nov 2009 15:20 Darren Salt wrote: [snip useful iptables rules] ooo - thank-you Darren! It's always so long between looking at iptables rules that I have to re- learn it every time - especially what you should and shouldn't do with all the different tables. I tend to lean heavily on http://iptables.rlworkman.net/iptables-tutorial.html -- Geoff
From: Chris Davies on 11 Nov 2009 17:27 I wrote: >> If you're running the browser on the bastion box itself, there's >> --uid-owner and --gid-owner, but I have a feeling they are deprecated. Darren Salt <news(a)youmustbejoking.demon.cu.invalid> wrote: > That would be silly: you need to be able to avoid self-proxying the proxy. In order to do that one would need to differentiate the UID under which the proxy was running and the UID under which the user was running the browser. Hence the suggestion for --uid-owner. Chris
From: Darren Salt on 11 Nov 2009 20:02
I demand that Chris Davies may or may not have written... > I wrote: >>> If you're running the browser on the bastion box itself, there's >>> --uid-owner and --gid-owner, but I have a feeling they are deprecated. > Darren Salt <news(a)youmustbejoking.demon.cu.invalid> wrote: >> That would be silly: you need to be able to avoid self-proxying the proxy. > In order to do that one would need to differentiate the UID under which the > proxy was running and the UID under which the user was running the browser. > Hence the suggestion for --uid-owner. Yes. But you _did_ mention deprecation, and it's _that_ which would be silly. Evidently I was mistaken in my belief that that was sufficiently clear... -- | Darren Salt | linux at youmustbejoking | nr. Ashington, | Doon | using Debian GNU/Linux | or ds ,demon,co,uk | Northumberland | Army | + http://www.youmustbejoking.demon.co.uk/ & http://tlasd.wordpress.com/ Your aim is high and to the right. |