playing with xt_tls

tested on debian/ubuntu system

requirements

apt install linux-headers-$(uname -r)
apt install iptables libxtables-dev

install

git clone https://github.com/Lochnair/xt_tls.git
cd xt_tls/
make
make install

setup

lsmod | grep xt_tls
modprobe xt_tls
lsmod | grep xt_tls

ready to go

iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "nethence.com" -j DROP

acceptance

everything should be normal, just not reaching that domain through HTTPS

pub.nethence.com    -- OK
nethence.com        -- NOK

clean-up

iptables -D OUTPUT -p tcp --dport 443 -m tls --tls-host "nethence.com" -j DROP
rmmod xt_tls

additional notes

nftables

the nftables rule shows up but isn’t accurate

table ip filter {
    chain OUTPUT {
        type filter hook output priority filter; policy accept;
        meta l4proto tcp tcp dport 443 # TLS match host some-domain.com counter packets 10 bytes 5690 drop
    }
}

the original iptable rule shows as

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   27 15363 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 TLS match host some-domain.com

resources

https://github.com/Lochnair/xt_tls

https://lochnair.net/2016/11/29/netfilter-blocking-sites-using-tls/

alternatives

https://github.com/topics/sni?l=c&o=asc&s=stars

https://github.com/droe/sslsplit