Linux Router Caching Proxy Content Filter?

Mike Lovell mike at
Tue Jul 21 23:08:49 MDT 2009

Kimball Larsen wrote:
> Howdy smart people!
> I've got a new Ubuntu Jaunty box (named "Silver") with 2 nics -  
> and   My home gateway is
> I'd like to set up the jaunty box to be the new gateway for all my in- 
> house traffic, such that all clients would connect like this:
> Client -> -> Firewall/Content Filter -> ->  
> -> DSL Modem -> Internets.
> is a WRT54G running OpenWRT with a firewall that I put  
> together myself. (dangerous, in my experience).
> Here is what I need some help with:
> a)  Change the firewall on to *only* allow traffic on all  
> ports from  Refuse to even accept connections from the  
> lan side from anything else.
> b)  Set up silver to act as a router for the rest of the network, so  
> that all the clients use 0.5 as their gateway, and silver internally  
> routes everything from 0.5 to 0.4, which in turn uses 0.1 as its  
> gateway.
> c)  Set up DansGuardian or somesuch in conjunction with squid or  
> whatever is the best for DG to allow for content filtering of all web  
> and IM traffic.
> I've got a house full of kids that are getting old enough that the  
> sesame street and PBS sites are not keeping up with them anymore, but  
> I don't want to have to make huge whitelists of sites they can visit  
> on every computer in the house.  I'd rather centralize the whole  
> affair as above, but I've never done the whole DansGuardian thing  
> before.  Tips?  Pointers?  Someone want to do this for me?

Hrm. This seems a little complex to me. Doing what is basically a double 
NAT is probably overkill for this. You can probably do what you are 
wanting with about 2 iptables rules and no additional nic in 'Silver.'

Basically, all you need to do is add a rule to your OpenWRT box so that 
anything coming in on from the LAN interface, and not from 'Silver', 
gets redirected to 'Silver' on what ever port you have the proxy running 
on. Doing this is actually not too far off from how the infamous 
'Upside-Down-Ternet' works. [1] (it was fun to do this to roommates for 
april fools day). You basically would need the second iptables command 
listed but with the change of the -s to be something like '-s !' and then the --to-destination to be You might 
want to add a '-i br0' (or whatever your LAN interface is) to the rule 
so that it only matches traffic coming from the internal LAN side of the 

The second rule would be something that drops all traffic from source 
addresses that aren't IIRC, OpenWRT does some funky layouts 
with its table layout for iptables. So you might have to do some hunting 
of where this will need to go. I would recommend against doing a default 
deny on outgoing traffic. But I still believe that not everything should 
have to go through a web page. Doing the deny will block lots of things 
that might be perfectly fine, such as non-web based email. And if you 
are behind this and want to do something like ssh to a server off your 
network, you will have to add rules allowing it. Things just get to be a 

Also, doing this deny with only the one redirect from above, you will 
also lock out https access to web sites. You can do a similar rule for 
https that you do for http. But, redirecting https through your proxy 
using this method will be a little painful. You should get a lot of 
certificate errors cause you are basically doing a man in the middle on 
the SSL connections.

Hopefully that gives you some helpful info.



More information about the PLUG mailing list