Part VI - The Ultimate Linux Home Router - SquidGuard - Internet Filtering

Wednesday, December 25, 2013


It's worth warning that perfect internet filtering is impossible. It's for this reason that parents who have older children often don't bother with it since it tends to filter out benign things. That said, I have young children with tablets that Santa bought them for Christmas. I've locked the tablets down rather thoroughly on their own--prohibiting the use of the browser without a password and using a simple tool to restrict YouTube access. I know, however, that there will be times that they'll need the browser and when they do, they'll be using a browser with most controversial subjects filtered out. Don't get me wrong, I'm not interested in Nerf(tm)ing up the internet and preventing them from seeing some of the realities of life. But when they need unrestricted access, I will be there supervising directly. When I can't, most of the internet will be blocked.

Run an update

Since it's been a few days since this was posted, it's worth making sure we're running the latest versions of everything. Run the following and follow any onscreen instructions.
$ sudo zypper up

Installing SquidGuad

$ sudo zypper in squidguard

Restricting Tablets - DHCP Reserved Addresses

One option (and certainly not the most bulletproof) is to set the tablets up with static IP addresses. This is really simple to get around if your children have any basic understanding of IP networking (or know how to wield google in their favor). In a later post, I'll be adding authentication to the proxy server, but until then, I wanted to at least force DHCP to assign the same address. The settings panel on my tablets is password protected, so one of the kids changing the settings is not a huge concern of mine. In addition, assigning the IP via DHCP ensures that I won't need to make other configuration changes when the tablet moves to different networks.
Reserved addresses are assigned when the DHCP server sees a client with a specific MAC address. Since it's easier to retrieve the current IP address on my tablets, I've written down the two addresses: and, and we'll look up the host details on the server.
The following command will display all of the current leases
$ cat /var/lib/dhcp/db/dhcpd.leases | egrep "(^lease)|(hardware)"
This will display all of your current leases and their MAC addresses. Find the one that matches what was assigned to the tablets and copy the hardware address.
$ sudo nano /etc/dhcpd.conf
Find the subnet that corresponds to your network. It'll look something like this:
subnet netmask {
  default-lease-time 14400;
  max-lease-time 172800;
Modify it:
subnet netmask {
  default-lease-time 14400;
  max-lease-time 172800;
  host girlstablet {
    hardware ethernet xx:xx:xx:xx:xx:xx;
I've added a host 'girlstablet', which has the MAC address "xx:xx:xx:xx:xx:xx" assigned it the address I'll be putting all of the restricted devices on the 192.168.0 subnet in the range Do the same with any other addresses, assigning them an IP address outside of the normal lease range.
Save and Exit, then run:
$ sudo rcdhcpd restart

Installing Blacklists

I'm going ot use Shalla's Blacklists for this example, but there are several others available. Shalla's is for private, non-commercial use only. If you're using it for a business, consult their web site to ensure you are compliant. Creating a script to download the filter list:
$ sudo nano /usr/sbin/update_squidguard_blacklist
Paste in the following and Save/Exit.

cd /var/lib/squidGuard/db
rm -r *
wget ''
tar -xvf shallalist.tar.gz
cd BL
mv * ..
cd ..
rmdir BL
/usr/sbin/squidGuard -C all
chown -R squid *
chown -R squid /var/log/squidGuard
rm shallalist.tar.gz
squid -k reconfigure
Run the following:
$ sudo chmod 750 /usr/sbin/
$ sudo ln -l /usr/sbin/ /etc/cron.daily/
$ sudo nano -w /etc/squidguard.conf
Remove all lines from the file below "logdir /var/log/squidGuard" and paste in the following:
dest adv {
     domainlist adv/domains
     urllist    adv/urls

dest aggressive {
        domainlist      aggressive/domains
        urllist         aggressive/urls
        log             aggressiveaccess

dest alcohol {
        domainlist      alcohol/domains
        urllist         alcohol/urls
        log             alcoholaccess

dest anonvpn {
        domainlist      anonvpn/domains
        urllist         anonvpn/urls
        log             anonvpnaccess

dest costtraps {
        domainlist      costtraps/domains
        urllist         costtraps/urls
        log             costtrapsaccess

dest dating {
        domainlist      dating/domains
        urllist         dating/urls
        log             datingaccess

dest drugs {
        domainlist      drugs/domains
        urllist         drugs/urls
        log             drugsaccess

dest gamble {
        domainlist      gamble/domains
        urllist         gamble/urls
        log             gambleaccess

dest hacking {
        domainlist      hacking/domains
        urllist         hacking/urls
        log             hackingaccess

dest porn {
        domainlist      porn/domains
        urllist         porn/urls
        log             pornaccess

dest redirector {
        domainlist      redirector/domains
        urllist         redirector/urls
        log             redirectoraccess

dest sexeducation {
        domainlist      sex/education/domains
        urllist         sex/education/urls
        log             sexeducationaccess

dest sexlingerie {
        domainlist      sex/lingerie/domains
        urllist         sex/lingerie/urls
        log             sexlingerieaccess

dest spyware {
        domainlist      spyware/domains
        urllist         spyware/urls
        log             spywareaccess

dest violence {
        domainlist      violence/domains
        urllist         violence/urls
        log             violenceaccess

dest webmail {
        domainlist      webmail/domains
        urllist         webmail/urls
        log             webmailaccess

dest webtv {
        domainlist      webtv/domains
        urllist         webtv/urls
        log             webtvaccess

dest warez {
        domainlist      warez/domains
        urllist         warez/urls
        log             warezaccess
acl {
        admins {
                pass all
        restricted {
                pass !weapons !warez !webtv !webmail !sexlingerie !sexeducation !redirector !porn !hacking !violence !aggressive !alcohol !anonvpn !costtraps !dating !drugs !gamble all
        default {
                pass !spyware all
Run the following command:
$ sudo echo 'redirect_program /usr/sbin/squidGuard' >> /etc/squid/squid.conf
$ sudo /usr/sbin/

No comments :