LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-06-2016, 03:29 PM   #1
theCapitain
Member
 
Registered: Jul 2010
Location: Northern Italy
Distribution: Slackware, Slax
Posts: 59

Rep: Reputation: 2
Parental control - transparent proxying


I'm trying to setup a parental control on a PC running Slackware64 14.2. I've followed the Alien's wiki article but it doesn't seem to work properly: Internet becomes practically unusable. It's not dansguardian faults, the error I get from the web browser when I type, for example, www.linuxquestion.org is:

The connection to the server was reset while the page was loading.
-The site could be temporarily unavailable or too busy. Try again in a few moments.
-If you are unable to load any pages, check your computer's network connection.
-If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

I can access the website typing: https://www.linuxquestions.org.
If the site was filtered by dansguardian I would get a different screen, according to the template selected.
Stopping rc.firewall the web surfing is ok but, of course, without control.
So I suppose the problem is related to the iptables rules:
Code:
PRIVUSERS="root"
start() {
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT
  for user in $PRIVUSERS; do
    /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT
  done
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080
  /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -j REDIRECT --to-ports 8080
}
I'm not able to troubleshot this. Any hints in diagnosing are appreciated.
Thanks

Last edited by theCapitain; 07-09-2016 at 05:33 PM.
 
Old 07-07-2016, 08:30 AM   #2
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,661

Rep: Reputation: Disabled
Is this box for kids only? You could not do NAT for it, leaving the proxy the only way out to the internet.
 
Old 07-07-2016, 09:25 AM   #3
theCapitain
Member
 
Registered: Jul 2010
Location: Northern Italy
Distribution: Slackware, Slax
Posts: 59

Original Poster
Rep: Reputation: 2
Yes, it is for my daughter.
Thank you for your answer, but I don't really understand what you mean ... I'm not much skilled, I've just followed a tutorial. Could you explain a little bit more your suggestion?
Thanks
 
Old 07-07-2016, 03:56 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,893

Rep: Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615Reputation: 3615
This is more of me thinking out loud rather than a good answer.

Kind of hard to slow down a smart kid.

How did you decide what to blame? Did you set the proxy in browser or globally?

An idea may be to use a pre-made table or get Firewall Builder to make it maybe. Consider white list and black list.

As a side note, I think I'd force only https access.

Really a shame that parents can't be offered a filtered web connection where kids can't bypass it.

Last edited by jefro; 07-07-2016 at 03:59 PM.
 
Old 07-07-2016, 10:00 PM   #5
jnihil
Member
 
Registered: Dec 2012
Location: inside the matrix
Distribution: Debian, Xubuntu, Gentoo, Antergos
Posts: 90

Rep: Reputation: 27
the question involves a transparent proxy, so it cannot be bypassed.
 
Old 07-08-2016, 03:44 AM   #6
theCapitain
Member
 
Registered: Jul 2010
Location: Northern Italy
Distribution: Slackware, Slax
Posts: 59

Original Poster
Rep: Reputation: 2
… and, in any case, my duty now is to protect her, if one day she will be able to bypass the filter, then she will be also ready to face the harsh reality.
 
Old 07-08-2016, 10:30 AM   #7
theCapitain
Member
 
Registered: Jul 2010
Location: Northern Italy
Distribution: Slackware, Slax
Posts: 59

Original Poster
Rep: Reputation: 2
I did a further investigation. My first diagnosis was wrong. I stopped the iptable and did a manual proxy configuration in order to make the browser to connect through local TCP port 127.0.0.1:8080 where dansguardian should be listening. I get the same result, so something is wrong somewhere.
Moreover, adding a website to the dansguardian exceptionsitelist doesn't make differences.
Here the configs (stripped of comments), just in case someone wants to take a look. Thanks
Code:
## tinyproxy.conf -- tinyproxy daemon configuration file
##
User nobody
Group nobody
Port 3128
Listen 127.0.0.1
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogLevel Info
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
Code:
# DansGuardian config file for version 2.10.1.1
reportinglevel = 3
languagedir = '/usr/share/dansguardian/languages'
language = 'ukenglish'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
anonymizelogs = off
filterip =127.0.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off
mailer = '/usr/sbin/sendmail -t'

Last edited by theCapitain; 07-09-2016 at 05:32 PM.
 
Old 07-08-2016, 11:27 AM   #8
mralk3
Slackware Contributor
 
Registered: May 2015
Distribution: Slackware
Posts: 1,896

Rep: Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045
I suggest you use a packet sniffer to see what network traffic is doing what. Tcpdump, wireshark are good options. There are tutorials on how to use both all over the internet.

If that is too hard for you then I suggest changing the firewall to use something like UFW (https://slackbuilds.org/repository/14.2/network/ufw/) to help you set the correct firewall rules.

Additionally, it would help us to help you if you included the log file output for tinyproxy and dansguardian. Otherwise you are asking for help without providing all the information.

If I had to guess what is not working... 1. One of the daemons is not running. 2. Firewall is incorrectly configured. 3. There is a typo in your configuration.
 
Old 07-09-2016, 05:30 PM   #9
theCapitain
Member
 
Registered: Jul 2010
Location: Northern Italy
Distribution: Slackware, Slax
Posts: 59

Original Poster
Rep: Reputation: 2
Thanks for your hints mralk3. Your guess number 1 was right. Tinyproxy wasn't running ... actually I didn't understand why but after turning on the logging (in order to post some more information) and starting tinyproxy with the -d option (debug) I've seen that the log directories were missing, so I created them, chown nobody and everything started to run properly.
I apologize for having posted such a trivial question, but your answers really helped me to find the path.
Thanks.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Forcing http request through Squid Proxy Server(Transparent proxying) ochienged Linux - Server 5 06-02-2009 11:54 AM
squid-3.0.STABLE1: transparent proxying not supported hemi_426 Linux - Server 3 04-27-2008 04:38 AM
Squid and iptables---transparent proxying Woodsman Slackware 9 09-30-2006 03:49 PM
Control amount of time a user may be logged in. (Parental Control) darrensnospam Mandriva 13 02-18-2006 06:01 PM
Transparent Proxying on Squid swoolley Linux - Networking 2 04-28-2005 04:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration