xt_tls is an extension for netfilter/IPtables that allows you to filter traffic based on TLS hostnames.
- Filter TLS traffic based on the SNI extension
- Add more advanced matching features (i.e. wildcard matching)
- Add support for matching on the server certificate
- Kernel headers (
apt install linux-headers-$(uname -r))
- IPtables devel (
apt install iptables-dev)
- Glob kernel module
- Netfilter defrag modules: nf_defrag_ipv4 and nf_defrag_ipv6
git clone https://github.com/Lochnair/xt_tls.git cd xt_tls make sudo make install
- DKMS (
apt install dkms)
git clone https://github.com/Lochnair/xt_tls.git cd xt_tls sudo make dkms-install
You can block traffic to Facebook using the following command.
sudo iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "www.facebook.com" -j DROP
You can also match subdomains using wildcards like this.
sudo iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "\*.googlevideo.com" -j DROP
If you encounter a bug please make sure to include the following things in your bug report:
- The application used for sending the request
- The domain your trying to allow/block - Debug output (see the debugging section below)
- If possible, a TCPDump capture containing the TLS "Client/Server Hello's"
Since xt_tls is not thoroughly tested, sometimes weird things happen. This might be caused by an application that sends packets xt_tls can't parse. For example cURL and wget (or the TLS libary they use) doesn't send a session ID in the "Client Hello", and xt_tls didn't understand that, so I had to change some things to make it work.
By default xt_tls doesn't print anything to the syslog, as there seems to be quite some overhead in doing that. However you can enable debug output by compiling xt_tls like below.
If you've sent a TLS request, you can now use dmesg to see if everything works as expected.
dmesg [ 2013.959415] [xt_tls] Session ID length: 32 [ 2013.974006] [xt_tls] Cipher len: 42 [ 2013.974292] [xt_tls] Offset (1): 119 [ 2013.974583] [xt_tls] Compression length: 1 [ 2013.974915] [xt_tls] Offset (2): 122 [ 2013.975211] [xt_tls] Extensions length: 38 [ 2013.977016] [xt_tls] Name type: 0 [ 2013.977675] [xt_tls] Name length: 10 [ 2013.978664] [xt_tls] Parsed domain: github.com [ 2013.979068] [xt_tls] Domain matches: false, invert: false
I would like to thank the people behind the nDPI project, as the parsing function is inspired by their work.