Hi there,
Have managed to get my little home lan set up with a content filtering, using Privoxy.
Although some of the below is already above, I figured I would set it out in one piece:
----------------------------------------------------------------------------------------------------------------------------
ADSL line connects to: D-Link DSL-504 ADSL Modem/4 port router
which connects to: D-Link DFE-650TX 10/100 PCMCIA ethernet adapter, as eth1 to -->
linux server box IBM 600X laptop, running Feather linux 0.7.4, which is providing NAT service to:
Surecom EP428X 10/100 PCMCIA ethernet adapter, as eth0
eth0 is connected by a crossover cable to a DWL-1000AP wireless access point.
Several PCs are then connected wirelessly to the internet via the AP.
---------------------------------------------------------------------------------------------------------------------------
The software setup is as follows:
eth1 is brought up automatically during the boot process, as it is connected to the modem/router, which provides a DHCP service.
ip addresses:
router 192.168.0.1 netmask 255.255.255.0 <-- set earlier via the router's web interface
eth1 192.168.0.2 netmask 255.255.255.0
wireless AP 192.168.1.2 <-- set earlier via the AP's setup software
eth0 is brought up via a call to 'ifconfig'
ifconfig eth0 192.168.1.1 netmask 255.255.255.0
---------------------------------------------------------------------------------------------------------------------
# the below instructions can be put in a script file and made to execute with each boot
#
# clear any existing iptables info
#
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# set up and activate the NAT service
#
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
# to stop lan clients accessing the net other then via privoxy, 'turn off' port 80 for the internal lan
#
iptables -I FORWARD -p TCP -i eth0 --dport 80 -j REJECT
# Turn on routing
#
echo 1 > /proc/sys/net/ipv4/ip_forward
# Turn on Privoxy
#
/etc/init.d/privoxy start
#
---------------------------------------------------------------------------------------------------------------------
In order to be able to 'track' access by clients on the lan, I used static IPs for the client lans, with these and their machine names listed in '/etc/hosts'
---------------------------------------------------------------------------------------------------------------------
I found that the default Privoxy is a bit too eager. Also, using Firefox blocks most pop-ups and the router forms a hardware firewall. So, I don't use the 'default.action' action file and turned off most of the filters.
The config file was modified so that the following action/filter would be used:
/etc/privoxy/standard.action
/etc/privoxy/user.action
/etc/privoxy/default.filter
I used the following modified 'user.action' file (further modified here by substituting the coarse words):
#####################################
# user.action file, modified for content filtering
#
#
# URL blocking
#
{+block \
}
.rude*..*
.*rude..*
.bad*..*
.*bad..*
#
... and lots more! Where the pairs block any "domains" (first part of the URL) that either start or end with the string.
#
/.*(bad|rude|other|more|etc)
#
# The above set of test strings will match the occurrence of the test strings anywhere else in the URL
# string, after the "domain" name. To match only the string, as either only the start (or end), not
# where it is a sub-string put a space, before/after/both, in the "edit" dialog available in the web
# configuration. Strangely, although the 'space' appears as a '+' when you re-edit the string set, but
# not when displayed by the web config page.
# I have also had some success in using a filter to replace a set of 'bad' words in pages that get
# through the above block, which was added to the 'default.filter' file
#
FILTER: rude replace banned words
s/( bad | rude| other|more| etc)/**EXPLETIVE DELETED**/ig
#Again, the placement of spaces can (mostly) avoid acceptable words containing the banned strings
# as sub-strings being replaced.
# lastly a '-block' to allow some good sites that had banned words in their URL or in the pages, this
# will develop into a 'white list' over time.
#
{-block \
}
www.google.com
.dmoz.org
#
-------------------------------------------------------------------------------------------------------------------------
I hope that the above is of some use to others.
Bye for now,
Geoff.