| Next revision | Previous revisionNext revisionBoth sides next revision |
| slackware:parentalcontrol [2006/06/16 22:46] – created. alien | slackware:parentalcontrol [2008/02/21 21:55] – Change EXEMPTUSERS to PRIVUSERS (bugfix); use gpasswd instead of usermod. alien |
|---|
| The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\ | The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\ |
| Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> | Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> |
| tar -zxvf dansguardian-2.9.7.0.tar.gz | tar -zxvf dansguardian-2.9.7.1.tar.gz |
| cd dansguardian-2.9.7.0 | cd dansguardian-2.9.7.1 |
| ./configure --prefix=/usr \ | ./configure --prefix=/usr \ |
| --localstatedir=/var \ | --localstatedir=/var \ |
| id clamav | id clamav |
| </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> | </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> |
| usermod -G $(id -Gn clamav | tr ' ' ','),nobody clamav | gpasswd -a clamav nobody |
| usermod -G $(id -Gn clamav | tr ' ' ','),nogroup clamav | gpasswd -a clamav nogroup |
| usermod -G $(id -Gn nobody | tr ' ' ','),clamav nobody | gpasswd -a nobody clamav |
| </code> Verify that this worked, by again running <code> | </code> Verify that this worked, by again running <code> |
| id nobody | id nobody |
| # Privileged user(s) will bypass the content filter: | # Privileged user(s) will bypass the content filter: |
| PRIVUSERS="root alien" | PRIVUSERS="root alien" |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
| # Also catch the sneaky bastards that try to bypass dansguardian: | # Also catch the sneaky bastards that try to bypass dansguardian: |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -j REDIRECT --to-ports 8080 | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 3128 -j REDIRECT --to-ports 8080 |
| </code> Note that these iptables rules populate the NAT table (NAT is Network Address Translation). NAT rules are what you would ordinarily think of when configuring a firewall/router which hides an internal network behind a single external network interface (the old name for NAT was masquerading although the two terms do not fully compare). In our case, the NAT rules are not used to change the source or destination IP address (masquerading), but we change the destination TCP port of the packets that match the rules (redirection). | </code> |
| | <note> |
| | Note that these iptables rules populate the NAT table (NAT is Network Address Translation). NAT rules are what you would ordinarily think of when configuring a firewall/router which hides an internal network behind a single external network interface (the old name for NAT was masquerading although the two terms do not fully compare). These rules would be added to the **PREROUTING** chain. \\ In our case of catching the local traffic, the NAT rules are not used to change the source or destination IP address (masquerading), but we change the destination TCP port of the packets that match the rules (redirection). The iptables rules in this case are instead being added to the **OUTPUT** chain. |
| | </note> |
| |
| A nice script that implements these rules, and which accepts a start and a stop parameter, is listed in the [[#example_configuration_files|last section]]. You can save it as the file ''/etc/rc.d/rc.firewall'' and make it executable: <code> | A nice script that implements these rules, and which accepts a start and a stop parameter, is listed in the [[#example_configuration_files|last section]]. You can save it as the file ''/etc/rc.d/rc.firewall'' and make it executable: <code> |
| The message was hidden in the section on iptables, but I will repeat it in it's own section: | The message was hidden in the section on iptables, but I will repeat it in it's own section: |
| |
| This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: | This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: <code> |
| | PRIVUSERS="root alien" |
| PRIVUSERS="root alien" | </code> |
| |
| ===== Starting the programs ===== | ===== Starting the programs ===== |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
