how to block pop up with iptables

Question

Although I have enabled the pop up blocker in firefox, there are many websites that are able to circumvent this feature. (for example movie streaming sites like kinox.to). My question is not really about how I can install some new pop up blocker, but to learn how this works. I'm currently digging into iptables, NAT etc and I wonder how for example kinox.to (IP: 104.28.20.67) is able to launch a pop up window from meinkino.to (IP: 104.31.218.57).

Is it possible to configure iptables in a way that such incoming connections are blocked? And why can a different website initiate a connection from the outside of my NAT device? I thought this can't happen (for example in skype you need a rendezvous server, so you can initiate a connection to someone behind a NAT.

but your browser connected out to the new site - that's the trick — schroeder, Jan 28 '17 at 14:20
Because the site you visited asked your browser to make the connection. I think you have some research to do before you start trying to devise a strategy to stop pop-ups. — schroeder, Jan 28 '17 at 14:23
first, look at the source code for the site you mention - you might get all you need from that — schroeder, Jan 28 '17 at 14:26
If you want to learn more about iptables: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html Otherwise I suggest ublock origin for blocking browser junk. — cybernard, Jan 28 '17 at 15:52

Steffen Ullrich · Accepted Answer · 2017-01-28T15:35:30.937

3

Is it possible to configure iptables in a way that such incoming connections are blocked?

When browsing the web there are no incoming connections. All connections originate locally at the browser which requests a response from a specific web server. And the HTML/script in the response then causes the popup to display. Thus any attempts to block popups must either block the browser from issuing a request to the specific site, block the request issued by the browser to reach the site or make sure that the browser does not execute the HTML/script causing the popup.

The last way, i.e. not executing the popup, is done by the code inside the browser, which usually limits the number of popups within a time and tries to make sure that a popup is somehow related to a specific action by the user, i.e. useful popups showing that the entered value is invalid or similar. But these heuristics can be tricked and thus you see unwanted popups.

Therefore it might be a better way to restrict access to sites which serve the code causing the popups. Unwanted popups are usually part of advertisement and thus an ad-blocker extension in the browser might help.

But, you've asked if this can be done with iptables. Since iptables is a packet filter only it can only filter access by IP address, port, protocol and similar meta data. Especially it is impossible to use iptables to analyze the content of the servers response and find out if it contains popup code and maybe remove this code. Thus your only option with iptables is to block access to the site causing the popup by IP address, which means that you have to get the IP address first somehow. This might be possible in some cases since the IP addresses of advertising networks usually don't change that often. But note that sometimes a specific IP address is not only used to serve the unwanted popup but also content you actually want to access or content which is needed for properly displaying a site. Thus simply blocking access to an IP address will cause unwanted side effects in some occasions.

This makes iptables an inadequate tool for the problem you want to solve, i.e. it will work in some cases but fail in others and cause unwanted side effects. You better use a tool which works at a higher level, like an ad-blocking extension in the browser.

edited Jan 28 '17 at 15:35

answered Jan 28 '17 at 14:35

Steffen Ullrich

184,332
29
363
424

I though iptables works at the Network Layer? So every website has probably a different way to inject disturbing pop ups? I also though of blocking some IP's, but then I would first have to look up those IP's and probably they also change... – ph0t3k Jan 28 '17 at 14:42
@ph0t3k: iptables is a packet filter and works *up to* the transport layer. This means it can filter by IP address, port, protocol and similar. But it can not filter by application level information, i.e. is unable to understand and remove the code in a HTML site which is responsible for showing the popup. Thus iptables can be used if you have the IP address of sites you want to block but like I said, this has unwanted side effects. In summary this means that iptables is not an adequate tool for blocking popups. – Steffen Ullrich Jan 28 '17 at 14:49
@SteffenUllrich I think the OP was hoping to block types of incoming connections – schroeder Jan 28 '17 at 14:55
yes, generally any kind of incoming connections, but especially pop ups – ph0t3k Jan 28 '17 at 14:58
@schroeder: when browsing the web there are no incoming connections. All connections originate locally at the browser which requests a response from a specific web server. And the HTML/script in the response then causes the popup to display. Thus either specific outgoing connections to ad-networks need to be blocked (can be done inside a packet filter if the target IP address is known) or the connection should not even be started (i.e. blocked already within an ad-blocking browser extension). – Steffen Ullrich Jan 28 '17 at 14:59
I suspect you could use iptables for DPI if you really, truly wanted. It might not be supported out of the box (probably isn't), but you probably *could* write a custom iptables module to do it. Of course, because it would be doing *packet* inspection, you'd be very limited in the amount of analyzing you could do on the data *in context*. – user Jan 28 '17 at 22:24
@MichaelKjörling: your custom module would first need to do what DPI solutions do: reassemble the TCP stream to get to the HTML and script. On top of that it would actually need to understand HTML and script to find out where the popup generating code is. To neutralize this code it would need to modify the response which if course might change the packet length but at least changes the CRC etc. Yes, in theory all of this could probably be done somehow but in practice it could probably be easily bypassed (just take HTTP compression in account). – Steffen Ullrich Jan 28 '17 at 22:37

infinite-etcetera · Answer 2 · 2017-01-28T19:43:33.343

actually many ad blockers do work by using a simple, long, and i'd suppose constantly updated, block list of URLs.

i have successfully blocked google ads before by redirecting the URLs in /etc/hosts - so if you took a variety of the block lists that a few popular browser extensions are using and then wrote a shell script to convert the URLs to IP addresses which were then added them as iptables rules then i'd expect you could have some luck. but it would really clutter up your iptables rules which could be a security risk itself.

whether it would be as 'smooth' as an advert blocking extension i don't know, as i didn't test this. for example perhaps the pop ups would still appear but they'd be blank/empty windows, for example. not to mention you'd have to find a way to keep your own ad blocking list updated - perhaps a cron job ? also, not sure if doing all this would provide you with something you couldn't do with a browser extension... anyway...

how to block pop up with iptables

2 Answers2