[SOLVED] Parental control

theCapitain · 07-06-2016, 02:29 PM

I'm trying to setup a parental control on a PC running Slackware64 14.2. I've followed the Alien's wiki article but it doesn't seem to work properly: Internet becomes practically unusable. It's not dansguardian faults, the error I get from the web browser when I type, for example, www.linuxquestion.org is:

The connection to the server was reset while the page was loading.
-The site could be temporarily unavailable or too busy. Try again in a few moments.
-If you are unable to load any pages, check your computer's network connection.
-If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

I can access the website typing: https://www.linuxquestions.org.
If the site was filtered by dansguardian I would get a different screen, according to the template selected.
Stopping rc.firewall the web surfing is ok but, of course, without control.
So I suppose the problem is related to the iptables rules:

Code:

PRIVUSERS="root"
start() {
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT
  for user in $PRIVUSERS; do
    /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT
  done
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -j REDIRECT --to-ports 8080
}

I'm not able to troubleshot this. Any hints in diagnosing are appreciated.
Thanks

Emerson · 07-07-2016, 07:30 AM

Is this box for kids only? You could not do NAT for it, leaving the proxy the only way out to the internet.

theCapitain · 07-07-2016, 08:25 AM

Yes, it is for my daughter.
Thank you for your answer, but I don't really understand what you mean ... I'm not much skilled, I've just followed a tutorial. Could you explain a little bit more your suggestion?
Thanks

jefro · 07-07-2016, 02:56 PM

This is more of me thinking out loud rather than a good answer.

Kind of hard to slow down a smart kid.

How did you decide what to blame? Did you set the proxy in browser or globally?

An idea may be to use a pre-made table or get Firewall Builder to make it maybe. Consider white list and black list.

As a side note, I think I'd force only https access.

Really a shame that parents can't be offered a filtered web connection where kids can't bypass it.

jnihil · 07-07-2016, 09:00 PM

the question involves a transparent proxy, so it cannot be bypassed.

theCapitain · 07-08-2016, 02:44 AM

… and, in any case, my duty now is to protect her, if one day she will be able to bypass the filter, then she will be also ready to face the harsh reality.

theCapitain · 07-08-2016, 09:30 AM

I did a further investigation. My first diagnosis was wrong. I stopped the iptable and did a manual proxy configuration in order to make the browser to connect through local TCP port 127.0.0.1:8080 where dansguardian should be listening. I get the same result, so something is wrong somewhere.
Moreover, adding a website to the dansguardian exceptionsitelist doesn't make differences.
Here the configs (stripped of comments), just in case someone wants to take a look. Thanks

Code:

## tinyproxy.conf -- tinyproxy daemon configuration file
##
User nobody
Group nobody
Port 3128
Listen 127.0.0.1
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogLevel Info
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563

Code:

# DansGuardian config file for version 2.10.1.1
reportinglevel = 3
languagedir = '/usr/share/dansguardian/languages'
language = 'ukenglish'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
anonymizelogs = off
filterip =127.0.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off
mailer = '/usr/sbin/sendmail -t'

mralk3 · 07-08-2016, 10:27 AM

I suggest you use a packet sniffer to see what network traffic is doing what. Tcpdump, wireshark are good options. There are tutorials on how to use both all over the internet.

If that is too hard for you then I suggest changing the firewall to use something like UFW (https://slackbuilds.org/repository/14.2/network/ufw/) to help you set the correct firewall rules.

Additionally, it would help us to help you if you included the log file output for tinyproxy and dansguardian. Otherwise you are asking for help without providing all the information.

If I had to guess what is not working... 1. One of the daemons is not running. 2. Firewall is incorrectly configured. 3. There is a typo in your configuration.

theCapitain · 07-09-2016, 04:30 PM

Thanks for your hints mralk3. Your guess number 1 was right. Tinyproxy wasn't running ... actually I didn't understand why but after turning on the logging (in order to post some more information) and starting tinyproxy with the -d option (debug) I've seen that the log directories were missing, so I created them, chown nobody and everything started to run properly.
I apologize for having posted such a trivial question, but your answers really helped me to find the path.
Thanks.