December 14th, 2002, 02:05 AM
Blocking content with squid
TRANSPARENT PROXY AND BLOCKING SITES WITH SQUID
Ok with the thread about kids and access to porn on the net I made a comment about blocking sites with squid proxy server on my linux gateway on a simple home network. For those interested in how it is done I will explain how I went about it. I am making the assumption you are running a linux distro with a 2.4 kernel (iptables) and squid proxy server on your gateway that is all setup and running and you have root access.
I know there are specific programs like squidguard etc out there but I find this just as easy without having to install any further software.
TRANSPARENT PROXY SETUP
Firstly you need to set up the transparent proxy in Squid so open the squid.conf wherever it lives on your distro and edit the following lines. Find the following directives, uncomment them, and change them to the appropriate values:
* httpd_accel_host virtual
* httpd_accel_port 80
* httpd_accel_with_proxy on
* httpd_accel_uses_host_header on
save this configuration. Now for the netfilter (iptables), the magic words for transparent proxying:
* iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 (or whatever port your proxy is listening on)
You will want to add the above commands to your appropriate bootup script under /etc/rc.d/. so things are setup on bootup.
Restart squid and point your browser at your gateway on the port the proxy is listening to ... all going well that is done. The browser on your network machine/s have to go through the proxy now to get out onto the net.
BLOCKING SITES WITH SQUID.
I downloaded the blacklist file from squidguard.org and unzipped the file and found it contained directories like porn, warez, drugs, violence, hacking etc... I made similar directories to my /etc/squid directory (not necessary - just I like a tidy filing system) and moved the domain file under each of the blacklist directories into my corresponding directories in /etc/squid. The other files in the blacklist are not required and can be deleted.
With that done, re-open squid.conf file and add a new ACL under the ACCESS CONTROLS section, mine looks like;
acl banned url_regex "/etc/squid/warez/domains" "/etc/squid/hacking/domains" "/etc/squid/porn/domains" and so forth. Save and restart squid.
Nearly done, well really this is all that is required but for the finishing touches I edited the /usr/lib/squid/errors/English/ERR_ACCESS_DENIED file (make a backup first) and made a nice custom message. This can be as nice or sarcastic as the mood takes you , save the file and restart squid if you have edited this file.
Take a look in the various domain files and add/delete entries as you see fit, I had to remove AntiOnline from the hacking one !! apparently someone saw fit to add it , remember to restart squid if you edit any of these files.
The blacklists are updated from time to time just grab them from the squidguard site and replace the old ones if required - its not a definitive list but a fairly comprehensive one. Your list can be as restrictive or free as you choose.
As added protection on the WinXP machine I installed Security Administrator which is a small program that has a very easy to use interface that allows me to control what each user can access on the system, so once I have set up the security level on IE for example, it allows me to remove various options from the toolbar stopping the user from changing things. It can also control what programs the user can access for instance IRC and the like.
With relative peace of mind, I can go do other things while the kids access the net.
Hope I haven't forgotten anything.
December 14th, 2002, 04:57 AM
Dansguardian works great with squid too (www.dansguardian.org) and does true content filtering (meaning it blocks pages that contain certain words or combinations of words...).
Credit travels up, blame travels down -- The Boss
December 14th, 2002, 05:05 AM
Thanks ammo ..... will have to check it out, my way does need the specific domain and/or page listed in the domain files.