Linux Router Caching Proxy Content Filter?

Michael Torrie torriem at
Tue Jul 21 09:21:41 MDT 2009

Kimball Larsen wrote:
> is a WRT54G running OpenWRT with a firewall that I put  
> together myself. (dangerous, in my experience).

Oh, why is this?

> a)  Change the firewall on to *only* allow traffic on all  
> ports from  Refuse to even accept connections from the  
> lan side from anything else.

I'm sure you could do this with iptables and static routes, but seems to
be pointless to me.  If your hell-bent on doing this, just put your lan
and silver on a different subnet and then standard routing applies,
although this seems overly convoluted.

> b)  Set up silver to act as a router for the rest of the network, so  
> that all the clients use 0.5 as their gateway, and silver internally  
> routes everything from 0.5 to 0.4, which in turn uses 0.1 as its  
> gateway.
> c)  Set up DansGuardian or somesuch in conjunction with squid or  
> whatever is the best for DG to allow for content filtering of all web  
> and IM traffic.

I don't know of any way to filter IM traffic with DG.  But for web,
here's what I do:

- on my openwrt router I run tinyproxy and set it to use DG on silver as
the upstream proxy
- set openwrt to redirect all http traffic that's not from silver to the
local tinyproxy
- set openwrt to allow http traffic from silver only
- on silver, I use iptables rules to allow outbound HTTP traffic from
the dansguardian user only), and transparently redirect all other local
traffic to DG, so that silver itself is also filtered even though it's
the trusted host.

I can post iptables rules if you want, both for openwrt and silver.  In
any event maintaining the openwrt firewall would seem to be the best bet
rather than mucking with 2 layers of routing.  As I have demonstrated
you can still use silver as a filter computer.

More information about the PLUG mailing list