Wednesday, December 25, 2013

Part VI - The Ultimate Linux Home Router - SquidGuard - Internet Filtering

Introduction

It's worth warning that perfect internet filtering is impossible. It's for this reason that parents who have older children often don't bother with it since it tends to filter out benign things. That said, I have young children with tablets that Santa bought them for Christmas. I've locked the tablets down rather thoroughly on their own--prohibiting the use of the browser without a password and using a simple tool to restrict YouTube access. I know, however, that there will be times that they'll need the browser and when they do, they'll be using a browser with most controversial subjects filtered out. Don't get me wrong, I'm not interested in Nerf(tm)ing up the internet and preventing them from seeing some of the realities of life. But when they need unrestricted access, I will be there supervising directly. When I can't, most of the internet will be blocked.

Run an update

Since it's been a few days since this was posted, it's worth making sure we're running the latest versions of everything. Run the following and follow any onscreen instructions.
$ sudo zypper up

Installing SquidGuad

$ sudo zypper in squidguard

Restricting Tablets - DHCP Reserved Addresses

One option (and certainly not the most bulletproof) is to set the tablets up with static IP addresses. This is really simple to get around if your children have any basic understanding of IP networking (or know how to wield google in their favor). In a later post, I'll be adding authentication to the proxy server, but until then, I wanted to at least force DHCP to assign the same address. The settings panel on my tablets is password protected, so one of the kids changing the settings is not a huge concern of mine. In addition, assigning the IP via DHCP ensures that I won't need to make other configuration changes when the tablet moves to different networks.
Reserved addresses are assigned when the DHCP server sees a client with a specific MAC address. Since it's easier to retrieve the current IP address on my tablets, I've written down the two addresses: 192.168.0.121 and 192.168.0.127, and we'll look up the host details on the server.
The following command will display all of the current leases
$ cat /var/lib/dhcp/db/dhcpd.leases | egrep "(^lease)|(hardware)"
This will display all of your current leases and their MAC addresses. Find the one that matches what was assigned to the tablets and copy the hardware address.
$ sudo nano /etc/dhcpd.conf
Find the subnet that corresponds to your network. It'll look something like this:
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  default-lease-time 14400;
  max-lease-time 172800;
}
Modify it:
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  default-lease-time 14400;
  max-lease-time 172800;
  host girlstablet {
    fixed-address 192.168.0.30;
    hardware ethernet xx:xx:xx:xx:xx:xx;
  }
}
I've added a host 'girlstablet', which has the MAC address "xx:xx:xx:xx:xx:xx" assigned it the address 192.168.0.30. I'll be putting all of the restricted devices on the 192.168.0 subnet in the range 192.168.0.30-39. Do the same with any other addresses, assigning them an IP address outside of the normal lease range.
Save and Exit, then run:
$ sudo rcdhcpd restart

Installing Blacklists

I'm going ot use Shalla's Blacklists for this example, but there are several others available. Shalla's is for private, non-commercial use only. If you're using it for a business, consult their web site to ensure you are compliant. Creating a script to download the filter list:
$ sudo nano /usr/sbin/update_squidguard_blacklist
Paste in the following and Save/Exit.
#!/bin/sh

cd /var/lib/squidGuard/db
rm -r *
wget 'http://www.shallalist.de/Downloads/shallalist.tar.gz'
tar -xvf shallalist.tar.gz
cd BL
mv * ..
cd ..
rmdir BL
/usr/sbin/squidGuard -C all
chown -R squid *
chown -R squid /var/log/squidGuard
rm shallalist.tar.gz
squid -k reconfigure
Run the following:
$ sudo chmod 750 /usr/sbin/update_squidguard_blacklist.sh
$ sudo ln -l /usr/sbin/update_squidguard_blacklist.sh /etc/cron.daily/update_squidguard_blacklist.sh
$ sudo nano -w /etc/squidguard.conf
Remove all lines from the file below "logdir /var/log/squidGuard" and paste in the following:
dest adv {
     domainlist adv/domains
     urllist    adv/urls
}

dest aggressive {
        domainlist      aggressive/domains
        urllist         aggressive/urls
        log             aggressiveaccess
}

dest alcohol {
        domainlist      alcohol/domains
        urllist         alcohol/urls
        log             alcoholaccess
}

dest anonvpn {
        domainlist      anonvpn/domains
        urllist         anonvpn/urls
        log             anonvpnaccess
}

dest costtraps {
        domainlist      costtraps/domains
        urllist         costtraps/urls
        log             costtrapsaccess
}

dest dating {
        domainlist      dating/domains
        urllist         dating/urls
        log             datingaccess
}

dest drugs {
        domainlist      drugs/domains
        urllist         drugs/urls
        log             drugsaccess
}

dest gamble {
        domainlist      gamble/domains
        urllist         gamble/urls
        log             gambleaccess
}

dest hacking {
        domainlist      hacking/domains
        urllist         hacking/urls
        log             hackingaccess
}

dest porn {
        domainlist      porn/domains
        urllist         porn/urls
        log             pornaccess
}

dest redirector {
        domainlist      redirector/domains
        urllist         redirector/urls
        log             redirectoraccess
}

dest sexeducation {
        domainlist      sex/education/domains
        urllist         sex/education/urls
        log             sexeducationaccess
}

dest sexlingerie {
        domainlist      sex/lingerie/domains
        urllist         sex/lingerie/urls
        log             sexlingerieaccess
}

dest spyware {
        domainlist      spyware/domains
        urllist         spyware/urls
        log             spywareaccess
}

dest violence {
        domainlist      violence/domains
        urllist         violence/urls
        log             violenceaccess
}

dest webmail {
        domainlist      webmail/domains
        urllist         webmail/urls
        log             webmailaccess
}

dest webtv {
        domainlist      webtv/domains
        urllist         webtv/urls
        log             webtvaccess
}

dest warez {
        domainlist      warez/domains
        urllist         warez/urls
        log             warezaccess
}
acl {
        admins {
                pass all
        }
        restricted {
                pass !weapons !warez !webtv !webmail !sexlingerie !sexeducation !redirector !porn !hacking !violence !aggressive !alcohol !anonvpn !costtraps !dating !drugs !gamble all
        }
        default {
                pass !spyware all
        }
}
Run the following command:
$ sudo echo 'redirect_program /usr/sbin/squidGuard' >> /etc/squid/squid.conf
$ sudo /usr/sbin/update_squidguard_blacklist.sh

No comments: