Content Filtering without a Proxy
Is it possible to set up a content filter on a Debian Etch server without setting up a proxy, and have the filtering based on MAC addresses?
Here's my network layout. The Debian box is doing nat/masquerading and is a DHCP server, so all content has to travel through it anyway. Internal Network--------Debian Server------Router---Internet The Debian box has 2 NICs. |
To do content filter you need a proxy server.
|
It depends on your definition of "proxy". If you mean without having to set a proxy server in the client computers config, then yes, you can do this.
It's called a transparent bridge/proxy and basically what you do is "bridge" both ethernet cards on your server together (so that any traffic recieved on one is transmitted by the other and vice versa), and then run iptables rules on that server. These iptables rules silently grab and redirect any port 80 (i.e. HTTP) or other requests you want and force them through a proxy on the same machine (usually squid). To the clients, there IS no proxy, to the server, it sees, intercepts, proxies, filters and caches anything that people try to access without them knowing. There are several transparent bridge and squid transparent HOWTO's on the net but none of them are simple to implement because it's quite a complex task to do. Using a combination of them and a lot of guesswork, I've implemented this myself in several schools for their main filtering systems (other 1000 users in one, running off a 1GHz machine with Gigabit Ethernet which filters ALL of their web requests). You can still have other iptables rules (i.e. a firewall) on the server, you can still access the server via an IP address as normal if you wish (with the right IPTables rules) but you end up being a "proxy" without anyone knowing. A lot of schools use this setup because it means you can make the proxy/filter invisible and, with the right iptables rules, practically impossible to hack because it's not ACTING on any traffic, it's just passing it along silently. The only thing that can get "hacked" is squid and you can make it so that squid's not accessible to the local network, only to "localhost", which is all it needs to filter. |
hi mike,
Quote:
iptables -t nat -I PREROUTING -i <LAN> -p udp --dport 53 -j DNAT --to <opendns_ip> so any dns request to forbidden sites will be block by opendns. the second one is trully impossible (do content filtering) since L2 or MAC doesnt know how to route nor request a session - it simply forward traffic. HTH. |
Thanks ledow and rossonieri#1. I'll look into those more carefully in the next few days.
I'm not sure that I worded my second question (about MAC address filtering) correctly. I was asking about filtering content only for certain computers on my local network. For example, computer A wouldn't be filtered, but computer B would be. Is this possible? |
Add a matching rule for each mac address to filter. Or if you have only one that isn't filtered use "!" and use the mac address that you don't want the rule for.
From the iptables manpage: Code:
|
Install and configure Squid (web proxy)
Squid will act as our proxy server which should speed up our web browsing and allow the content filter to function as it requires one. Run: pacman -S squid to install The default config file for squid is pretty much ready to go. It’s a good thing because there are an overwhelming number of configuration options. Anyway, keep the default config but add/change the following in your **/etc/squid/squid.conf **file. acl localhost src 127.0.0.1/32 http_access allow localhost http_access deny all http_port 3128 transparent dns_nameservers 208.67.222.123, 208.67.220.123 #OpenDNS FamilyShield DNS |
Content Filters are an evoking methodology used in the field of security technology. Essentially, these are set of tools that are intended to monitor all of the traffic carries out on a network and compare it to a set of rules that define any unacceptable activity. In order to monitor the rate of outbound traffic, one must choose a Content Filter accordingly to their business requirement, such that which type of traffic to be enable or disabled.
|
Guess you could run a free virtual machine program and then run any number of firewall type distro's. Something like Untangle or other may suite your needs.
I've never used it but Dansguardian has been around for a while. |
All times are GMT -5. The time now is 03:37 AM. |