LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 03-01-2008, 11:18 AM   #1
mikes63737
LQ Newbie
 
Registered: Nov 2005
Location: At my computer
Distribution: Debian Etch, CentOS 5.1
Posts: 19

Rep: Reputation: 0
Content Filtering without a Proxy


Is it possible to set up a content filter on a Debian Etch server without setting up a proxy, and have the filtering based on MAC addresses?

Here's my network layout. The Debian box is doing nat/masquerading and is a DHCP server, so all content has to travel through it anyway.

Internal Network--------Debian Server------Router---Internet

The Debian box has 2 NICs.

Last edited by mikes63737; 03-01-2008 at 11:29 AM.
 
Old 03-01-2008, 07:39 PM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
To do content filter you need a proxy server.
 
Old 03-02-2008, 10:28 AM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
It depends on your definition of "proxy". If you mean without having to set a proxy server in the client computers config, then yes, you can do this.

It's called a transparent bridge/proxy and basically what you do is "bridge" both ethernet cards on your server together (so that any traffic recieved on one is transmitted by the other and vice versa), and then run iptables rules on that server.

These iptables rules silently grab and redirect any port 80 (i.e. HTTP) or other requests you want and force them through a proxy on the same machine (usually squid). To the clients, there IS no proxy, to the server, it sees, intercepts, proxies, filters and caches anything that people try to access without them knowing.

There are several transparent bridge and squid transparent HOWTO's on the net but none of them are simple to implement because it's quite a complex task to do. Using a combination of them and a lot of guesswork, I've implemented this myself in several schools for their main filtering systems (other 1000 users in one, running off a 1GHz machine with Gigabit Ethernet which filters ALL of their web requests).

You can still have other iptables rules (i.e. a firewall) on the server, you can still access the server via an IP address as normal if you wish (with the right IPTables rules) but you end up being a "proxy" without anyone knowing.

A lot of schools use this setup because it means you can make the proxy/filter invisible and, with the right iptables rules, practically impossible to hack because it's not ACTING on any traffic, it's just passing it along silently. The only thing that can get "hacked" is squid and you can make it so that squid's not accessible to the local network, only to "localhost", which is all it needs to filter.
 
Old 03-02-2008, 10:53 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi mike,

Quote:
Is it possible to set up a content filter on a Debian Etch server without setting up a proxy, and have the filtering based on MAC addresses?
the first one is possible - this is my hack using opendns and iptables :

iptables -t nat -I PREROUTING -i <LAN> -p udp --dport 53 -j DNAT --to <opendns_ip>

so any dns request to forbidden sites will be block by opendns.

the second one is trully impossible (do content filtering) since L2 or MAC doesnt know how to route nor request a session - it simply forward traffic.

HTH.
 
Old 03-02-2008, 08:19 PM   #5
mikes63737
LQ Newbie
 
Registered: Nov 2005
Location: At my computer
Distribution: Debian Etch, CentOS 5.1
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks ledow and rossonieri#1. I'll look into those more carefully in the next few days.

I'm not sure that I worded my second question (about MAC address filtering) correctly. I was asking about filtering content only for certain computers on my local network. For example, computer A wouldn't be filtered, but computer B would be. Is this possible?
 
Old 03-02-2008, 08:42 PM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Add a matching rule for each mac address to filter. Or if you have only one that isn't filtered use "!" and use the mac address that you don't want the rule for.

From the iptables manpage:
Code:
   mac
       --mac-source [!] address
              Match source MAC address.  It must be of the form XX:XX:XX:XX:XX:XX.   Note  that  this  only  makes
              sense  for  packets  coming  from  an  Ethernet device and entering the PREROUTING, FORWARD or INPUT
              chains.
Another thing you could do as well, is to configure your dhcp server to serve the OpenDNS IP address to the restricted MAC addresses. Then you can add logging to the iptables rule which will allow you to know if the person has changed the DNS settings on their computer.

Last edited by jschiwal; 03-02-2008 at 08:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is 'content filtering'? rsean LQ Articles Discussion 1 07-27-2007 12:44 AM
LXer: Howto install a content filtering and virus checking proxy (Part II) LXer Syndicated Linux News 0 05-13-2007 02:01 PM
LXer: Howto install a content filtering and virus checking proxy (Part I) LXer Syndicated Linux News 0 04-12-2007 12:01 AM
Content Filtering metallica1973 Linux - Security 6 12-29-2006 09:28 PM
Safesquid-Content Filtering Proxy Server davidwalton Linux - Software 1 10-15-2004 06:27 AM


All times are GMT -5. The time now is 02:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration