| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| slackware:parentalcontrol [2006/09/30 10:55] – Emphasize difference between PREROUTING and OUTPUT chains. alien | slackware:parentalcontrol [2008/02/21 21:55] – Change EXEMPTUSERS to PRIVUSERS (bugfix); use gpasswd instead of usermod. alien |
|---|
| The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\ | The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\ |
| Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> | Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> |
| tar -zxvf dansguardian-2.9.7.0.tar.gz | tar -zxvf dansguardian-2.9.7.1.tar.gz |
| cd dansguardian-2.9.7.0 | cd dansguardian-2.9.7.1 |
| ./configure --prefix=/usr \ | ./configure --prefix=/usr \ |
| --localstatedir=/var \ | --localstatedir=/var \ |
| id clamav | id clamav |
| </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> | </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> |
| usermod -G $(id -Gn clamav | tr ' ' ','),nobody clamav | gpasswd -a clamav nobody |
| usermod -G $(id -Gn clamav | tr ' ' ','),nogroup clamav | gpasswd -a clamav nogroup |
| usermod -G $(id -Gn nobody | tr ' ' ','),clamav nobody | gpasswd -a nobody clamav |
| </code> Verify that this worked, by again running <code> | </code> Verify that this worked, by again running <code> |
| id nobody | id nobody |
| # Privileged user(s) will bypass the content filter: | # Privileged user(s) will bypass the content filter: |
| PRIVUSERS="root alien" | PRIVUSERS="root alien" |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
| The message was hidden in the section on iptables, but I will repeat it in it's own section: | The message was hidden in the section on iptables, but I will repeat it in it's own section: |
| |
| This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: | This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: <code> |
| | PRIVUSERS="root alien" |
| PRIVUSERS="root alien" | </code> |
| |
| ===== Starting the programs ===== | ===== Starting the programs ===== |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
| for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
| /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
| done | done |
