Linux Router Caching Proxy Content Filter?
mike at dev-zero.net
Tue Jul 21 23:08:49 MDT 2009
Kimball Larsen wrote:
> Howdy smart people!
> I've got a new Ubuntu Jaunty box (named "Silver") with 2 nics -
> 192.168.0.4 and 192.168.0.5. My home gateway is 192.168.0.1.
> I'd like to set up the jaunty box to be the new gateway for all my in-
> house traffic, such that all clients would connect like this:
> Client -> 192.168.0.5 -> Firewall/Content Filter -> 192.168.0.4 ->
> 192.168.0.1 -> DSL Modem -> Internets.
> 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put
> together myself. (dangerous, in my experience).
> Here is what I need some help with:
> a) Change the firewall on 192.168.0.1 to *only* allow traffic on all
> ports from 192.168.0.4. Refuse to even accept connections from the
> lan side from anything else.
> b) Set up silver to act as a router for the rest of the network, so
> that all the clients use 0.5 as their gateway, and silver internally
> routes everything from 0.5 to 0.4, which in turn uses 0.1 as its
> c) Set up DansGuardian or somesuch in conjunction with squid or
> whatever is the best for DG to allow for content filtering of all web
> and IM traffic.
> I've got a house full of kids that are getting old enough that the
> sesame street and PBS sites are not keeping up with them anymore, but
> I don't want to have to make huge whitelists of sites they can visit
> on every computer in the house. I'd rather centralize the whole
> affair as above, but I've never done the whole DansGuardian thing
> before. Tips? Pointers? Someone want to do this for me?
Hrm. This seems a little complex to me. Doing what is basically a double
NAT is probably overkill for this. You can probably do what you are
wanting with about 2 iptables rules and no additional nic in 'Silver.'
Basically, all you need to do is add a rule to your OpenWRT box so that
anything coming in on from the LAN interface, and not from 'Silver',
gets redirected to 'Silver' on what ever port you have the proxy running
on. Doing this is actually not too far off from how the infamous
'Upside-Down-Ternet' works.  (it was fun to do this to roommates for
april fools day). You basically would need the second iptables command
listed but with the change of the -s to be something like '-s !
192.168.0.4' and then the --to-destination to be 192.168.0.4. You might
want to add a '-i br0' (or whatever your LAN interface is) to the rule
so that it only matches traffic coming from the internal LAN side of the
The second rule would be something that drops all traffic from source
addresses that aren't 192.168.0.4. IIRC, OpenWRT does some funky layouts
with its table layout for iptables. So you might have to do some hunting
of where this will need to go. I would recommend against doing a default
deny on outgoing traffic. But I still believe that not everything should
have to go through a web page. Doing the deny will block lots of things
that might be perfectly fine, such as non-web based email. And if you
are behind this and want to do something like ssh to a server off your
network, you will have to add rules allowing it. Things just get to be a
Also, doing this deny with only the one redirect from above, you will
also lock out https access to web sites. You can do a similar rule for
https that you do for http. But, redirecting https through your proxy
using this method will be a little painful. You should get a lot of
certificate errors cause you are basically doing a man in the middle on
the SSL connections.
Hopefully that gives you some helpful info.
More information about the PLUG