LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 06-01-2001, 06:42 PM   #1
jmelgin
LQ Newbie
 
Registered: Jun 2001
Location: Frankfort, IL
Distribution: Suse 7.1
Posts: 9

Rep: Reputation: 0
Question


I have a home network with 4 Win98 clients and one Linux box that I want to set up as a gateway to the net (via a cable modem). I want to be able to restrict my children's internet access in two ways: (1) the time of day they are allowed to surf and (2) some sort of filter for adult content. Can someone point me in the right direction? FYI, my Linux box is an old AMD K6-233 with a 6.4GB drive running Suse Linux 7.1.
 
Old 06-02-2001, 12:52 AM   #2
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Your box sounds more-than adequate for the task, and I personally like your choice of distro.

If your're looking for a software rather than a social solution try the following.

Install whatever Win9x client software for netfiltering.

Try a Google search for 'cbq'. You can set it up to throttle network usage (speed adn access) based on combinations of port assignment, time of day and users. I wouldn't use it for content-based filtering though.

If you want to put the energy into you can just set up Squid and keep extensive logs. Then tell your kids that you know what they are up to. I guess it depends on what your kids are like. IIRC you can limit access by site.
 
Old 06-02-2001, 09:52 AM   #3
jmelgin
LQ Newbie
 
Registered: Jun 2001
Location: Frankfort, IL
Distribution: Suse 7.1
Posts: 9

Original Poster
Rep: Reputation: 0
I'm definitely wanting to put energy into the software side...mostly because I know it can be done! I know only a very little about Squid - are there any good resources to check out on how to set it up? Are there any other alternatives to Squid? I've heard that Squid can be a RAM hog and I've only got 64MB....will that be adequate? (on the other hand, RAM is so cheap I should probably get another stick or two).
 
Old 06-02-2001, 09:57 AM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Exclamation More details, but just as many issues raised!

As mcleodnine's already mentioned Squid would be an option, the Squid guys are at http://www.squid-cache.org

I managed to get it setup here (more of an experienent than for any real use) without too much difficulty, it definately does allow you do control site access, so you could set it up to filter out say any URL containing XXX etc, but you will probably find yourself editing you're rules quit frequently to gain access to valid sites that contain matchable substrings (say the word Essex would be hit by a simple rule matching URLs that contain the word 'sex'). The other thing that might be useful as far as Squid is concerened is that it will cache the pages that it retrieves, so if your kids visit the same site a few times a day it won't necessarily burn your cable modems bandwidth retrieving the page again, but will return the cached copy.

How are you currently getting out onto the WWW? IP Masquerading I assume? If this is the case then you're kids will simply have the option to turn off the use of the proxy in your browser's config! You might want to stop forwarding attempts to access port 80 on any outside machines, this should effectively stop them, however they could still set their browsers to use your ISPs proxy, in which case they would no longer be going out to port 80 on a machine and be able to look at anything... Fun eh??

The best option would be to not forward any http packets out onto the www, but I don't know how you would do it... Any one on the forum got any ideas on this one?

HTH

Jamie...
 
Old 06-02-2001, 10:00 AM   #5
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Quote:
Originally posted by jmelgin
I'm definitely wanting to put energy into the software side...mostly because I know it can be done! I know only a very little about Squid - are there any good resources to check out on how to set it up? Are there any other alternatives to Squid? I've heard that Squid can be a RAM hog and I've only got 64MB....will that be adequate? (on the other hand, RAM is so cheap I should probably get another stick or two).
Squid will use a bit of RAM to say the least if you let it, but all of the RAM details you tend to read assume that you are using Squid to proxy a company or university or something that sorta size. It was running fine on my IDT WinChip-2 233 with 64MB, and that had loads of other crap running too, a lower spec than your box.

Jamie...
 
Old 06-02-2001, 07:42 PM   #6
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Re: More details, but just as many issues raised!

Quote:
The best option would be to not forward any http packets out onto the www, but I don't know how you would do it... Any one on the forum got any ideas on this one?

HTH

Jamie...
Just ran across this recently...
http://www.linuxdoc.org/HOWTO/Bandwi...WTO/index.html

There's a section which shows how to stop ppl surfing around your proxy.

The defaul SuSEfirewall setup has a 'redirect' which does the same thing if I recall correctly...

... from /etc/rc.config.d/firewall.rc.config...

#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) original destination port and 4) local port to redirect the traffic to,
# seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080"
#
# Redirect TCP connections
FW_REDIRECT_TCP=""
# Redirect UDP connections
FW_REDIRECT_UDP=""

Of course you would still need to set up Squid and have the port declarations match the firewall script (of vice-versa)
 
Old 06-04-2001, 05:03 PM   #7
prowzen
Member
 
Registered: Apr 2001
Location: Canada
Distribution: RH 7.0,
Posts: 89

Rep: Reputation: 15
clarification...

I recently tried learning abut ipmasquerading and proxy... I believe that proxy is something specific to applications (applications shud have the logic built in to use a proxy) whereas with IPMasquerading you just configure your network clients to use the linux server as the gateway.
Will disabling 'use proxy server' in the browser disable IP Masq too? My thoughts say that it shudn't...Anyone can clarify this please?
 
Old 06-04-2001, 07:16 PM   #8
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Re: clarification...

Quote:
Originally posted by prowzen
I recently tried learning abut ipmasquerading and proxy... I believe that proxy is something specific to applications (applications shud have the logic built in to use a proxy) whereas with IPMasquerading you just configure your network clients to use the linux server as the gateway.
Will disabling 'use proxy server' in the browser disable IP Masq too? My thoughts say that it shudn't...Anyone can clarify this please?
Yeah, IP Masquerading (called NAT by everyone else - Network Address Translation) is invisable to the client software. There is no way from the client to disable NAT apart from changing the default gateway. The 'use proxy server' options in your software doesn't make any different. Hence the issue with trying to control WWW access with the proxy - it isn't much use when you can simply sidestep it by setting your software not to use it!

On the subject of default gateways I found that Windows can give some interesting error messages when your default gateway isn't set, but they are application dependent. I changed my network and updated to 10/100 cards all round. If forgot to set my default gateway on my Win98 box. When I tried to get to an external site Opera would report "You may not access that site from this machine", and IE spent ages going around in circles tring all the different domains (.com,.net,.co.uk,etc...) before finally giving up with some cryptic error message... This threw me for a few minutes...

HTH

Jamie...
 
Old 06-04-2001, 08:20 PM   #9
jmelgin
LQ Newbie
 
Registered: Jun 2001
Location: Frankfort, IL
Distribution: Suse 7.1
Posts: 9

Original Poster
Rep: Reputation: 0
Question What else might work beside Squid?

Rather than setting up a Squid proxy system, is there a way to force users off of the system at a certain time? For example, I understand in Win2k Server you can set up allowable times for users to be logged into the system. Is that possible with Linux? If so, I could force the kids off the system and therefore deny access to the net and other system services that way. Is there an easy way to do this?
 
Old 06-04-2001, 08:30 PM   #10
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
To use the proxy or IP-Masq/NAT you don't need to be logged in... I imagine you can set a rule for Squid to only allow access at specific times but I don't know of any existing 'nice' way to deny access to the 'gateway' (be it really a proxy, or a forwarder of somekind) based on the time.

bound to be a way, just a case of find the software. I don't imagine it would be that difficult to write a filter that would site on a port and deny packets from specific IPs at specific times. There might even be such features in the 2.4 replacement for IP-chains (damned if I can remember the name!), I certainly haven't come accross it in IP chains.

As for an alternative. There are lots of Proxies... Squid if just about the most fully featured and caches... For a small application that doesn't require caching I'm sure there are lots out there.

Jamie...
 
Old 06-06-2001, 02:15 AM   #11
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Re: What else might work beside Squid?

Quote:
Originally posted by jmelgin
Rather than setting up a Squid proxy system, is there a way to force users off of the system at a certain time? For example, I understand in Win2k Server you can set up allowable times for users to be logged into the system. Is that possible with Linux? If so, I could force the kids off the system and therefore deny access to the net and other system services that way. Is there an easy way to do this?
with CBQ (more info in the readme i linked to a couple of posts up) you can limit by time of day, ip address (hosts).
 
Old 06-06-2001, 07:50 AM   #12
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Just got this mail that might relate to you. Have a look at the mail archives on http://vger.kernel.org - I assume more will be there.

Jamie...

=========
Date: Wed, 06 Jun 2001 13:46:58 +0200
From: Explicit <langak@freemail.absa.co.za>
To: langak@freemail.absa.co.za
Subject: RE: Transparent proxy with squid and ipchains.

[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]

Hi Tony

Just a quick question. Those directives that you said I must add to
squid ie:
- -httpd_accel_host virtual
- -httpd_accel_with_proxy on
- -httpd_accel_uses_host_header on
- -httpd_accel_port 80

I added them and I still can't get trasparent proxying working. I
told squid to deny all proxy requests so that i can get the access
denied page when I ask for any page from squid.

I have the following rule on ipchains:
ipchains -I input -p tcp -s 192.168.1.0/24 -d any/0 80 -j REDIRECT
3128 -l

When I try to access a site trasparently, I get a timeout. When I
use proxy setting on my browser, then I get the access denied page.
ie:
- ----
While trying to retrieve the URL: http://192.168.2.1/

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this
is incorrect.

Your cache administrator is webmaster.
- ----

As soon I remove proxy setting... no play.

Here is my ipchains log:
May 31 13:41:49 gatekeeper kernel: Packet log: input REDIRECT 3128
eth0 PROTO=6 192.168.1.13:1049 192.168.2.1:80 L=48 S=0x00 I=47366
F=0x0000 T=128 SYN (#3)
May 31 13:41:52 gatekeeper kernel: Packet log: input REDIRECT 3128
eth0 PROTO=6 192.168.1.13:1049 192.168.2.1:80 L=48 S=0x00 I=47878
F=0x0000 T=128 SYN (#3)
May 31 13:41:58 gatekeeper kernel: Packet log: input REDIRECT 3128
eth0 PROTO=6 192.168.1.13:1049 192.168.2.1:80 L=48 S=0x00 I=49926
F=0x0000 T=128 SYN (#3)
May 31 13:42:10 gatekeeper kernel: Packet log: input REDIRECT 3128
eth0 PROTO=6 192.168.1.13:1049 192.168.2.1:80 L=48 S=0x00 I=50182
F=0x0000 T=128 SYN (#3)

My squid is bound to all the interfaces. The only ipchains rule is the
rediction rule and the default policy is allow [for now]

Please help.

--ExpLiciT
'Firewalls are speed bumps not brick walls'

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
==============
 
Old 07-06-2005, 04:07 PM   #13
nickbunyan
LQ Newbie
 
Registered: Jul 2005
Location: UK
Distribution: Suse
Posts: 2

Rep: Reputation: 0
Post How I solved it...

I have the same problem with two sons - and I split the problem into two parts.

I spent a few bucks (around 25 I think) on a proprietary Windoze site filter. There are several to choose from and I think even one or two freeware ones these days...

and the easy part is to use Ipchains on the linux gateway to do the time-clock part.

Simply configure 2 or 3 different ipchains files with different rulesets which allow some, none or all the machines (your choice) to access the internet via your linux gateway on the cable. then use good old cron to switch over from one file to another at appropriate times.

E.g.

Ruleset one Ruleset two Ruleset three
Dads Machine Dads Machine Dads machine
Mums Machine Mums Machine Mums Machine
Big Son Machine Big Son Machine
Small Son Machine

At 2000 hrs when small son should be getting ready for bed, cron switches from ruleset one to ruleset two, then at 2130 when Big son should be getting ready for bed, cron runs ipchains with ruleset three and then only mum and dad can surf the net...

The main reason I went this route is that I coldn't find a freeware linux based content filter that was 'up-to-date'. Most of the paid-for Windoze ones include regular updates with the fee so the 'banned lists' keep getting updated.

Hope this helps and if you need help with the ipchains config ping me here.

nickbunyan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
limit user access Pacux Slackware 10 10-17-2005 06:52 AM
Limit internet access for certain hosts during certain time i16978 Linux - Newbie 2 05-05-2005 12:19 AM
Limit access with Apache lothario Linux - Security 1 01-24-2005 12:53 AM
Limit folder access in NFS Min Donner Linux - Networking 7 08-20-2004 01:54 PM
limit access flex411 Linux - Security 12 03-09-2004 06:32 AM


All times are GMT -5. The time now is 09:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration