Adblocking for B3

[stasheck]

I want to setup network-wide ad-blocking using B3. I was planning on using the following guide: http://sfxpt.wordpress.com/2011/02/21/t ... ng-method/

I need some additional information about bubba-specific configuration to make it work.

I would like to make pixelserv listen on an IP alias of eth1 (my b3 runs in router/fw/fileserver mode). Two issues:
- how to configure the network so I don't break b3's scripts, and they don't break my setup? (simplest way is to edit /etc/networking/interfaces, but will it work with scripts?)
- how to change webserver config, so it doesn't bind on all addresses?

[Gordon]

That's not really a howto, since you're not offering a solution but asking for one.

1. The scripts are actually quite robust. I've not yet experienced any reset or disappearing of content that is not recognized/controlled by the script.

2. That's a tricky one. I myself do not like that binding to all interfaces anyway, so I went to length to make sure my own web configuration gets precedence over the default one. That won't help you here though, unless you will be using apache as a proxy for pixelserv. The best approach in my opinion is to use the firewall and add a DNAT rule for port 80 on your secondary eth1 address, e.g. forward it to port 8080 where you will be running pixelserv.

Code: Select all

iptables -t nat -A PREROUTING -i eth1 -d <second IP> -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

[stasheck]

You're right, somehow I haven't thought of that.

As for Howto - once I'm done, I'll write that down here - hope that's OK

[Gordon]

Come to think about it, with that rule the IP you're referencing doesn't even need to actually exist.

Makes me wonder if using ipsets wouldn't give better performance

[stasheck]

All right, so here we go - based on http://sfxpt.wordpress.com/2011/02/21/t ... ng-method/, with some minor modifications.

Gordon, you can't use the same IP address (at least in my method), cause DNS server will not tell you port of the connection - so the iptables rule will prevent you from accessing b3's own webserver.

Let's assume that 192.168.1.1 is your LAN interface address. Pixelserv will be listening on port 8080.

0. Add interface alias to eth1 - this is how /etc/network/interfaces file looks on my system:

Code: Select all

iface eth0 inet dhcp

iface eth1 inet static
        address 192.168.1.1
        netmask 255.255.255.0

auto eth1:0
iface eth1:0 inet static
        address 192.168.1.254
        netmask 255.255.255.0

auto lo
iface lo inet loopback

Bring up the additional interface:

Code: Select all

ifup eth1:0

1. Download pixelserv script:

Code: Select all

LISTEN_ADDRESS=192.168.1.254
LISTEN_PORT=8080

Code: Select all

cd /usr/local/bin/
curl http://proxytunnel.sourceforge.net/files/pixelserv.pl.txt | tee /tmp/pixelserv | sed "s/0\.0\.0\.0/$LISTEN_ADDRESS/" | sed "s/80/$LISTEN_PORT/" > pixelserv
chmod 755 pixelserv

2. Create init script: /etc/init.d/pixelserv

Code: Select all

#! /bin/sh
# /etc/init.d/pixelserv
#


### BEGIN INIT INFO
# Provides:             pixelserv
# Required-Start:       $remote_fs
# Required-Stop:        $all
# Should-Start:         $remote_fs
# Should-Stop:          $all
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Startup script for PixelServ
# Description:          PixelServ provides 1x1 gif for ad blocking
### END INIT INFO


# Carry out specific functions when asked to by the system
case "$1" in
   start)
     echo "Starting pixelserv "
     /usr/local/bin/pixelserv &
     ;;
   stop)
     echo "Stopping script pixelserv"
     killall pixelserv
     ;;
   *)
     echo "Usage: /etc/init.d/pixelserv {start|stop}"
     exit 1
     ;;
esac

exit 0

Code: Select all

chmod 755 /etc/init.d/pixelserv
update-rc.d pixelserv defaults

3. Create script to download&prepare list of ad servers - /usr/local/bin/get-ad-block-list.sh

Code: Select all

#!/bin/sh

# Down the DNSmasq formatted ad block list
curl "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" | sed "s/127\.0\.0\.1/192.168.1.254/" > /etc/dnsmasq.adblock.conf

# Restart DNSmasq
/etc/init.d/dnsmasq restart

Note: to block customer servers, add the following before "# Restart DNSmasq":

Code: Select all

echo "address=/NAME_OF_AD_SERVER/192.168.1.254" >> /etc/dnsmasq.adblock.conf

Code: Select all

chmod -v 755 /usr/local/bin/get-ad-block-list.sh

4. Add custom config to DNSmasq config file:

Code: Select all

echo "conf-file=/etc/dnsmasq.adblock.conf" >> /etc/dnsmasq.conf

5. Add custom iptables rule to test if all is fine:

Code: Select all

iptables -t nat -A PREROUTING -i eth1 -d 192.168.1.254 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.254:8080

Now is the time to test. Try accessing some site that should have ads - now they (ads) shouldn't be there. If that's the case:

6. Add script link to cron, so ad server list is updated daily:

Code: Select all

ln -s /usr/local/bin/get-ad-block-list.sh /etc/cron.daily/get-ad-block-list

7. Save iptables rule in your config:

Code: Select all

iptables-save >/etc/network/firewall.conf

Disclamer:
I'm not sure if those settings persist between reloads (esp. interface settings) - currently I can't reload b3 (due to other family members using the connection), so I'll be grateful for all updates other people can make to this howto.

[Gordon]

All right, so here we go - based on http://sfxpt.wordpress.com/2011/02/21/t ... ng-method/, with some minor modifications.

Gordon, you can't use the same IP address (at least in my method), cause DNS server will not tell you port of the connection - so the iptables rule will prevent you from accessing b3's own webserver.

Actually you can, because the listen address for pixelserv does not necessarily need to be the same as the one you feed to DNSmasq. For the iptables PREROUTING method it makes no difference whether you change the target address or the target port or both.

Therefore in step 1 you can state:

Code: Select all

LISTEN_ADDRESS=192.168.1.1

or even:

Code: Select all

LISTEN_ADDRESS=127.0.0.1

as long as you use that same address as the target for step #5

Also, for the iptables rule to be implemented, all that is required is that the affected packages reach the B3. Apart from intentionally targeting the B3 itself, this also happens if the target address is outside of the local range and the B3 is the router that you need to pass to get there.

So in step #3 you could do (using 10.10.10.10 as target):

Code: Select all

 #!/bin/sh

    # Down the DNSmasq formatted ad block list
    curl "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" | sed "s/127\.0\.0\.1/10.10.10.10/" > /etc/dnsmasq.adblock.conf

    # Restart DNSmasq
    /etc/init.d/dnsmasq restart

and

Code: Select all

    echo "address=/NAME_OF_AD_SERVER/10.10.10.10" >> /etc/dnsmasq.adblock.conf

Leading to step #5 looking like this:

Code: Select all

iptables -t nat -A PREROUTING -i eth1 -d 10.10.10.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080

And you can skip step #0

BTW, the B3 does not rewrite config files when booting. There's one however that gets overwritten with the current system state during shutdown and that's the firewall settings - which is something you do not want to happen in case you made an error and shut yourself out.