Redirect/Block outgoing HTTP traffic for a specific URL in Ubuntu

2

On my Ubuntu server I have some custom software running, that connects to its vendor server to search for updates. While this is useful in general, the software is not supposed to update itself for security reasons. I found out that, if there's no internet connection, the software is unable to update, but will still start. But I obviously can't close the connection. The hosts file is not an alternative either, as the software needs to connect to the vendor for license checks.

So my question is: How can I redirct or block outgoing HTTP traffic for a specific URL.

tl;dr: http://www.vendor.com/license should be allowed, but http://www.vendor.com/update should be blocked for outgoing traffic.

buschtoens

Posted 2013-03-31T01:27:57.467

Reputation: 151

I know, that I can put up some custom proxy, but I want to be the most efficient as possible and looking for other possibilities.

Maybe iptables is what I'm looking for? – buschtoens – 2013-03-31T01:30:46.463

nope. Definitely not IPtables unless you want to compile with additional module that perform analysis on a top layer of OSI/ISO. I guess the easiest would be a setting on a router - some security policy. I think Linksys routers have such option. Linksys WAG320n has such option: http://i.imgur.com/3d6UmEw.jpg

– mnmnc – 2013-03-31T01:39:57.357

additionally - if the software updates itself I think there might be a config setting that says to do it. Maybe you are able to change the config ? – mnmnc – 2013-03-31T01:43:51.810

1iptables -A OUTPUT -p tcp -m string --string "URL_HERE" --algo kmp -j DROP Great thing that HTTP Headers are sent in cleartext. :D – buschtoens – 2013-03-31T03:11:18.193

Hm... wget URL_HERE now goes on forever... Is there a way to actually close the connection instead of only dropping it? – buschtoens – 2013-03-31T03:12:05.557

Try REJECT instead of DROP. – Dennis – 2013-03-31T03:13:09.643

Doesn't work either... wget says "HTTP request sent, awaiting response..." – buschtoens – 2013-03-31T03:17:55.953

1Right, the problem is that you're "rejecting" the connection after it has already been established. Use -j REJECT --reject-with tcp-reset. This will alert the application that the connection has been reset. – Dennis – 2013-03-31T03:34:14.660

You rock! It works. :) – buschtoens – 2013-03-31T03:35:25.257

Answers

2

Good thing, that HTTP and its headers are sent in cleartext! We can search for the URL in the HTTP Header with the -m string filter.

Example

We want to block: http://www.example.com/I/am/some/distinguishable/URL

iptables -A OUTPUT -p tcp -m string --string "/I/am/some/distinguishable/URL" --algo kmp -j REJECT --reject-with tcp-reset

Thanks to Dennis for his tip on --reject-with tcp-reset.

buschtoens

Posted 2013-03-31T01:27:57.467

Reputation: 151

it also stopped your own access to your own server . He wants to limit outgoing, I guess. – Wayne Tun – 2019-08-23T04:33:28.073

Asked: 2013-03-31T01:27:57.467

Viewed: 5 386 times

Active: 2013-03-31T07:13:11.607