Trying to use a program called "SQUID" as a Website Blocker - why not working? Is it even possible?
 

Hi.

I'm curious about this. I've got a rather um, "interesting" usage case - if not for the proximate aim then for the circumstances - here regarding networking on a GNU/Linux system and network.

One of the biggest problems I've been dealing with recently, due to emotional and psych. issues, is a sort of "addiction" to certain websites that are not good for me to visit and moreover serve as time-wasters, and what I'm trying to do is to put in place safeguards so that I cannot easily visit these sites from home, at least not when I am trying to do things like schoolwork for college or other necessary tasks. The house I am living at is a family home and it has several computers in it and they all can connect to the Internet and all run various flavors of GNU/Linux (except for my own which also runs MS Windows 8 and from which I am posting this message). Currently, I am managing access to these sites through the use of a locally-enabled domain name block in /etc/hosts on my machine and have the root password set to one which a family member knows of but I do not, making it so that I cannot easily defeat it and gain access to the Internet (e.g. /etc/hosts is unmodifiable from my user account). The problem is - 1. I can go to Windows to access my kryptonite although so far the hassle of a reboot has helped to dissuade most of that activity esp. given that I have no nice programming tools on the Windows side, and 2. this setup prevents me from being able to use root access to do things like install new software and modify the system configuration - tasks I'd really like to do as I've recently been experimenting with various mods, in particular "metric clocks" (displaying time of day in kiloseconds instead of hours, minutes, and seconds) and other stuff related to measurement units - right now. But those specifics don't really matter.

Because of these two concerns, what I decided to do was something else - and that is, to institute a block on websites that is further up the network. In particular, the household network looks like a wireless (WiFi) network of all computers pooling into a central NETGEAR router which in turn connects to a cable modem by an ethernet cable plugged into its "WAN" port, i.e.

(Computers) ->WiFi-> (NETGEAR) -> (Cable Modem) -> (Internet)

Now the NETGEAR has some filtering options but they are very limited, and not good as a truly comprehensive blocking solution, and don't seem to work very well on modern social media-style websites (in particular, the sites I am looking to ban are Reddit and Quora) for some reason - and indeed, as we get into what I'm trying here, we seem to run into this problem with modern websites in general, which seems to beg the question of why these blocking features even exist if they are not useful. In particular, digging into this suggested that a professional router would be required to seriously block the sites - a very expensive proposition.

So, to remedy that problem, what I decided on instead was to sandwich a computer we had but which was not getting much use before between the NETGEAR and the Cable Modem, which I call here the "Internet Filtration Unit", or "IFU", computer. In particular, it has two Ethernet ports on its back side (well it originally had only one, but we "created" a second specifically for this purpose by buying an Ethernet-to-USB dongle which seems to work with the GNU/Linux system). One of these ports (the USB Dongle) is connected to the "WAN" port of the NETGEAR, while the other (which is the original built-in port) is connected to the Cable Modem, making the setup look like this:

(Computers) ->WiFi-> (NETGEAR) -> (IFU) -> (Cable Modem) -> (Internet)

The goal is, of course, to use this system to filter out traffic passing through it so that requests for the objectionable websites are blocked, while retaining the ability to access desirable websites, and since the blocking is not done on my own computer or on any other computer in the house that is upstream of the NETGEAR, then I can lift the ban locally so that I don't have to have my root access taken away and Windows will not be able to access the bad sites either. This system will be secured because the afoermentioned family member will be the only one with the passwords to access it, which is enough deterrent for me from messing around with it.

This IFU system runs Linux Mint 18.3 "Sylvia". Getting the connection to pass through was relatively straightforward compared to filtering and I just used the existing "NetworkManager" functionality to set up the network interfaces. In particular - the interface facing toward the NETGEAR is checked as a "Share to Other Computers" connection so that the IFU's Internet connection (from the Cable Modem) will be sent to the computers in the rest of the house. This interface is, as mentioned before, the USB Dongle, and has the name "enx0050b620eee7". It seems to be assigned by the operating system an IP Address of 10.42.0.1, and the NETGEAR picks it up and assigns itself (using DHCP, presumably broadcasted through by Mint's connection sharing facility) on the WAN port an IP of 10.42.0.108. On the other side is the built-in Ethernet which faces toward the Cable Modem, called "enp4s0". This is set to be configured automatically via DHCP explicitly. The Cable Modem assigns it a *global* IP address that is on the public Internet around 76.x.y.z (do not remember/have it here) and is presumably dynamic as well, obtained from the ISP. Thus we get the following setup, where arrows mean "connection faces", not "packet/data moves from/to":

(Computers) <--- (NETGEAR, 10.42.0.108) <--- (IFU 10.42.0.1 | IFU 76.x.y.z DYNAMIC) ---> (Cable Modem) ---> (Internet)

So far, so good. This works, rather like a charm.

But, of course, that only means we are piping Internet - we are not actually filtering content, and that's what of course we want to do. So I looked around, considered a few options, then came across this program called "SQUID", which is a "proxy server" and appears to, on the surface, do exactly what we need. However, as with many things, I can't find really good, well-written and expository documentation, and I've never used this program before at all - I just saw it and saw that some other people have tried to use it to block websites, so I figured maybe I could use it, too. Apparently there's a book on SQUID but it's expensive and I am poor and don't have a lot of money I'd want to spend on things like this, and moreover as we will see next I am not even sure if SQUID will even work, which would make it an unjustifiable risk to shell out all that money.

But I've been having a HELL of a time trying to set this up, and I want to figure out just what and how to do it, as none of the tutorials I've found seem to have a use case quite like this. Either they're doing it for some other reason than blocking websites, or they're doing it with a different network setup (esp. not interfaces configured with DHCP on the proxy machine!) and so it's difficult to figure out how to translate them over, or they're imagining the SQUID program installed as a blocker on the same machine we seek to block access from, or they are imagining using it as a configurable proxy server in the browser, or a number of other key differences - and the last two cases definitely won't work here since that's easily overridden by someone who REALLY wants their Quora "fix", and making it hard to "get a fix" is the whole point of this project!

And so we get to the problem. The SQUID system DOES seem to work - very well - when in fact it is used in exactly that manner: as a proxy server that you configure in the browser (using IP 10.42.0.1, port 3128, in the proxy settings). It blocks the bad sites and lets through everything else, nice and clean. The trouble is, of course, just what I mentioned. That's not a good solution if you're looking to try and wean yourself from the addictive sites when you can just click on "Configure..." in the browser and "turn off proxy" and then sail away on a cloud of "joy"! Or even just go to Windows! So what we need is to somehow insert it automatically, regardless of the browser settings on any machine.

And so I heard of something called making it a "transparent" server - and that's where things go bad and I have NOT been able to get it to work well. I've tried several things and they've all had various problems - e.g. either it lets everything pass, or it blocks the sites seemingly sporadically, or it even goes and causes trouble and havoc with attempts to access "OK" sites and, moreover, it's not very consistent with it.

However, here I finally have obtained, after kiloseconds of headaches (and fighting through "The Destroyer"), a configuration with consistent, but errant, behavior, and it's the one I give below - both the SQUID Configuration file, /etc/squid/squid.conf, and the firewall/router rules with IPTables on the Linux kernel side. In this case, the errant behavior is to pass all traffic, including that of the blocked sites, i.e. the block is completely ineffective. Why is this, and what is going on?

Worse yet, I read something saying that SQUID *CANNOT* filter HTTPS/SSL because of fundamental issues relating to the encrypted nature of the data being sent back and forth that is the defining feature of the protocol. Is that right? Is it actually *impossible* to use SQUID to block HTTPS websites - at least as "transparent" proxy, which is what it seems is necessary to circumvent the need to tell a browser to use it (and so defeating the whole purpose)? If so, is there some workaround that will accomplish my goal, or an alternative system that will work?

Anyway, here's the files.

/etc/squid/squid.conf:
iptables setup commands - to be issued on the command line as this system is not yet finalized:
ifconfig information:
The banned list /etc/squid/restricted-sites.squid:

Well, so you have lot of time to networkcompute and talk instead of homeworking ;-) You make me think about Philip Adams(http://osfirsttimer.wikia.com/wiki/Philip_Adams, that's not a think that will help you stopping surfing). Like him, you try technical things without understanding everything. For example a "GNU/Linux network" doesn't really mean something...

I don't know your Netgear router, but I suppose that the proposed filtering is a firewall, and it's logical that it doesn't fit your needs since a firewall works on a lower layer than Web/HTTP. Personally in the past I succeed doing what you want, even with only one network card. I wouldn't have choose Mint for such usage. I think that putting IFU between the router and the modem is useless, moreover because you configured it as a gateway... It's just wasting electricity for nothing. You could put Squid on any Linux station of the house. But I'm upset that so much energy is wasted just because you can't refrain yourself for browsing. If at least there was a need for filtering in the whole family...

hm. I could simply configure squid to block unwanted sites just by setting acl list. Did you configure your browser to use that squid proxy? But if you have such problems you may want to try pihole. Probably easier. https://pi-hole.net/