In certain network environments, it can be necessary to restrict web browsing on connected devices while allowing access to other services, such as SSH. One way to achieve this is by setting up a custom Wi-Fi hotspot that enforces selective network blocking. This article explores how to accomplish this setup using Linux tools, specifically ebtables for firewall rules and tcpdump for monitoring traffic.
In this setup, two machines were used: a “host” machine, which created the Wi-Fi hotspot, and a “client” machine, which connected to it. The host was configured to selectively block web browsing by dropping packets on HTTP and HTTPS ports, while still allowing access to the host’s SSH server.
To establish the Wi-Fi network, the linux-wifi-hotspot tool was used. This open-source project leverages hostapd to create a hotspot on Linux, allowing for flexible configuration and customization.
With the hotspot running, the next step was to configure ebtables rules on the host machine. ebtables operates at the Ethernet bridge layer, making it possible to manage packet forwarding based on specified criteria. To prevent the client from browsing the web, initial rules were set to drop packets on HTTP (port 80) and HTTPS (port 443).
The following script was created on the host to set up the basic firewall rules:
#!/bin/bash
# Flush ebtables to reset its state
ebtables -F
# Block HTTP and HTTPS traffic (TCP)
ebtables -A FORWARD -p IPv4 --ip-proto tcp --ip-dport 80 -j DROP
ebtables -A FORWARD -p IPv4 --ip-proto tcp --ip-dport 443 -j DROPAfter deploying the initial script, it was observed that while some websites were indeed blocked, others remained accessible. Modern websites often use HTTP/3, which operates over UDP rather than TCP. To account for this, additional ebtables rules were added to block UDP traffic on ports 80 and 443:
# Block HTTP and HTTPS traffic (UDP)
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 80 -j DROP
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 443 -j DROPWith these modifications, many more websites were successfully blocked. However, certain modern sites continued to bypass the restrictions.
To investigate further, tcpdump was used on the host to monitor traffic on ports 80 and 443. This tool provided a detailed view of the data being transmitted and revealed that some of the traffic was using IPv6 rather than IPv4. The command below was used to capture traffic on the relevant ports:
tcpdump port 80 or port 443This analysis showed that the traffic still reaching websites was due to IPv6 packets, which had not been addressed in the initial firewall rules.
To fully restrict web browsing, additional ebtables rules were created to block both TCP and UDP traffic over IPv6 on ports 80 and 443:
# Block HTTP and HTTPS traffic (IPv6, TCP and UDP) on both source and destination ports
ebtables -A FORWARD -p ipv6 --ip6-protocol tcp --ip6-dport 80 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol tcp --ip6-sport 80 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol udp --ip6-dport 80 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol udp --ip6-sport 80 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol tcp --ip6-dport 443 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol tcp --ip6-sport 443 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol udp --ip6-dport 443 -j DROP
ebtables -A FORWARD -p ipv6 --ip6-protocol udp --ip6-sport 443 -j DROPWith these final adjustments, the setup was complete. The client could no longer access websites via either IPv4 or IPv6, while SSH connections remained unaffected.
This project demonstrates how ebtables and tcpdump can be used together to create a selective network blocking solution. By incrementally addressing gaps in the firewall, it was possible to restrict web access while still allowing other forms of communication, such as SSH. This approach highlights the importance of comprehensive traffic analysis, especially when dealing with multiple IP protocols and evolving standards like HTTP/3.