A few questions about setting up a Internet filter on Ubuntu Server 12.04.03
 

Hi,
I have been thinking about setting up a home Internet filter for a while. I thought it would be an interesting project to try, and a friend suggested that I give it a shot. (I think) I understand the basics of networking, but have several questions. As a quick disclaimer, I might not actually start setting this up until the end of the school year because of schoolwork.

For the filter, I wanted something that would be able to block access to malicious websites, and also block downloads with certain file extensions (*.exe, *.bat, etc), to keep my little sisters from clicking on the wrong things. Something with an override password would be preferred.

My thoughts for the setup were this:

Internet connection from DSL router >> Ethernet port 1 on my server
Ethernet port 2 on my server >> a Ethernet/WiFi router
Router >> All the other computers to be connected to the filter

I currently don't have a router to use, but I have some Amazon gift cards and was looking at this one. Is it a good choice, or is there a better one I might want (I'd prefer to stay under $20).

I also found that I should use Squid as the content filter. I haven't done much research on that yet, but I plan on doing so sometime in the (hopefully near) future.

Thanks for sharing your time and knowledge!

How about this:

Internet connection from DSL modem (no router functionality, bridge mode) >> Ethernet port 1 on server
Ethernet port 2 on server (which will do routing and NAT) >> an Ethernet switch and wireless AP (no routing)

You can run a proxy in your server and turn NAT off. This way nobody can bypass your proxy. See Privoxy project.

I've done quite a bit with building custom routers/filters. These are the solutions that worked for me:

-Squid + SquidGuard. It worked, but was sluggish.

-Squid + Dansguardian. It also worked, but was still sluggish, though somewhat quicker. Squid really was too much for what I wanted. It has a lot of cool features, but I needed something lighter.

-Tinyproxy/fireproxy/<insert small proxy here> + Dansguardian. This really was the sweet spot for me. It was quick and effective.

-IPTables/PFTables...I couldn't really get this one to work well. I didn't have time to really get to know IPTables very well.

-Some router distribution...Endian, ClearOS, PFSense, IPCop, etc. These were my favorite. They are easy to use, but not quite as much fun. If you want it to just work, I suggest one of these. Endian and ClearOS were my favorite, just for ease of use.

My topology was this: DSL router -> eth1 on custom router -> eth2 on custom router (serving IP addresses) -> switch -> user computers. They were unable to bypass it (with appropriate physical security), and no one even noticed the filtering.

My next foray will be with a second-hand Linksys I picked up for a couple of dollars, and a third-party firmware distro like ddwrt or openwrt or something. If you decide to go this route, make sure whichever router you use is listed on the firmware's supported hardware list. It would be a shame to get a cool router only to have it bricked because it's unsupported.

Good luck! I'm excited for the results!