Skip to content

gibbon4ik/xt_tlslist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

dkms

dkms

 
 

ipt

ipt

 
 

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

dkms.conf

dkms.conf

 
 

Repository files navigation

xt_tlslist

xt_tlslist is an extension for netfilter/IPtables that allows you to filter traffic based on TLS hostnames. Based on https://github.com/Lochnair/xt_tls.git

Features

  • Filter TLS traffic based on the SNI extension

Todo

  • Add more advanced matching features (i.e. wildcard matching)
  • Add support for matching on the server certificate

Manual Installation

Prerequisites

  • Kernel headers (apt install linux-headers-$(uname -r) or yum install kernel-devel)
  • IPtables devel (apt install iptables-dev or yum install iptables-devel)
  • Glob kernel module
  • Netfilter defrag modules: nf_defrag_ipv4 and nf_defrag_ipv6
git clone https://github.com/gibbon4ik/xt_tlslist.git
cd xt_tlslist
make
sudo make install

DKMS Installation

Additional Prerequisites

  • DKMS (apt install dkms or yum install dkms (from EPEL) )
git clone https://github.com/gibbon4ik/xt_tlslist.git
cd xt_tlslist
sudo make dkms-install

Usage

You can block traffic to Facebook using the following command.

sudo iptables -A OUTPUT -p tcp --dport 443 -m tlslist [--tls-subdomains] -j REJECT --reject-with tcp-reset

Then add domain using file /proc/tlsdomains

echo "+www.facebook.com" >/proc/tlsdomains

Delete domain from list

echo "-www.facebook.com" >/proc/tlsdomains

Flush all domains from list

echo "/" >/proc/tlsdomains

Option --tls-subdomains allow block domain with subdomains. Adding to list domain ".facebook.com" blocked facebook.com and all subdomains *.facebook.com

echo "+.facebook.com" >/proc/tlsdomains

Bugs

If you encounter a bug please make sure to include the following things in your bug report:

  • The application used for sending the request
  • The domain your trying to allow/block - Debug output (see the debugging section below)
  • If possible, a TCPDump capture containing the TLS "Client/Server Hello's"

Debugging

Since xt_tlslist is not thoroughly tested, sometimes weird things happen. This might be caused by an application that sends packets xt_tlslist can't parse. For example cURL and wget (or the TLS libary they use) doesn't send a session ID in the "Client Hello", and xt_tlslist didn't understand that, so I had to change some things to make it work.

By default xt_tlslist doesn't print anything to the syslog, as there seems to be quite some overhead in doing that. However you can enable debug output by compiling xt_tlslist like below.

make debug

If you've sent a TLS request, you can now use dmesg to see if everything works as expected.

dmesg

[ 2013.959415] [xt_tlslist] Session ID length: 32
[ 2013.974006] [xt_tlslist] Cipher len: 42
[ 2013.974292] [xt_tlslist] Offset (1): 119
[ 2013.974583] [xt_tlslist] Compression length: 1
[ 2013.974915] [xt_tlslist] Offset (2): 122
[ 2013.975211] [xt_tlslist] Extensions length: 38
[ 2013.977016] [xt_tlslist] Name type: 0
[ 2013.977675] [xt_tlslist] Name length: 10
[ 2013.978664] [xt_tlslist] Parsed domain: github.com
[ 2013.979068] [xt_tlslist] Domain matches: false, invert: false

Credits

I would like to thank the people behind the nDPI project, as the parsing function is inspired by their work.

About

xt_tlslist is an extension for netfilter/IPtables that allows you to filter traffic based on TLS hostnames

Resources

Readme

License

GPL-3.0 license
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages