Welcome to the new location of Alien's Wiki, sharing a single dokuwiki install with the SlackDocs Wiki.
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Previous revisionNext revision | |||
— | slackware:parentalcontrol [2006/09/30 10:55] – Emphasize difference between PREROUTING and OUTPUT chains. alien | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Parental control on the Linux desktop ====== | ||
+ | ===== Introduction ===== | ||
+ | |||
+ | It is fascinating to observe how children take things for granted where their parents need many years to get used to them ... take computers and the Internet for instance. Kids are so much more //savvy// with the computer that it becomes increasingly more difficult for parents to understand and value their kids' activities on the Internet. The results are not always that positive - children should be protected from some of the darker sides of the Internet. It already helps if parents sit and watch by the side of their kids from time to time, to see what they are up to, to talk about what they encounter and to give friendly advice. | ||
+ | |||
+ | Then again, it is impossible to monitor your children' | ||
+ | One way of achieving this, is by installing a content filter. The content filter is a program that checks URLs and disallows access in case the URL is blacklisted, | ||
+ | This filtering should be automatic - in the sense of executing beyond the childrens' | ||
+ | |||
+ | In [[: | ||
+ | This article however, will concentrate on controlling the Internet access on a solitary PC, like the family PC you might have in your living room. It //should// run Linux of course :-) and preferably Slackware. What I will show you is this: | ||
+ | * Install and configure a content filter - [[http:// | ||
+ | * Install and configure a proxy - [[http:// | ||
+ | * [// | ||
+ | * Setup iptables firewall rules that relay all internet browser traffic through the content filter | ||
+ | * Yet allow unlimited Internet access for the parents' | ||
+ | The sections on compiling and installing tinyproxy and dansguardian are taken from that other article, to make //this// article self-contained. I still encourage you to read the [[: | ||
+ | |||
+ | |||
+ | ===== Proxy installation ===== | ||
+ | |||
+ | The [[http:// | ||
+ | Tinyproxy must explicitly be build for transparent proxy support. If you want to compile and install the software manually, this is what you would do: < | ||
+ | tar -zxvf tinyproxy-1.7.0.tar.gz | ||
+ | cd tinyproxy-1.7.0 | ||
+ | ./configure --prefix=/ | ||
+ | --localstatedir=/ | ||
+ | --sysconfdir=/ | ||
+ | --enable-xtinyproxy \ | ||
+ | --enable-filter \ | ||
+ | --enable-upstream \ | ||
+ | --enable-reverse \ | ||
+ | --enable-transparent-proxy \ | ||
+ | --program-prefix="" | ||
+ | --program-suffix="" | ||
+ | make | ||
+ | make install | ||
+ | </ | ||
+ | |||
+ | ===== Contentfilter installation ===== | ||
+ | |||
+ | The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http:// | ||
+ | Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: < | ||
+ | tar -zxvf dansguardian-2.9.7.0.tar.gz | ||
+ | cd dansguardian-2.9.7.0 | ||
+ | ./configure --prefix=/ | ||
+ | --localstatedir=/ | ||
+ | --sysconfdir=/ | ||
+ | --enable-pcre \ | ||
+ | --enable-clamd \ | ||
+ | --enable-email \ | ||
+ | --with-proxyuser=nobody \ | ||
+ | --with-proxygroup=nobody | ||
+ | make | ||
+ | make install | ||
+ | </ | ||
+ | I configured dansguardian to run as user //nobody// - because that is an existing account without privileges, and Apache uses it too. If you want dansguardian to run using another account, you will have to do so in the // | ||
+ | groupadd parental | ||
+ | useradd -g parental -s /bin/false filter | ||
+ | </ | ||
+ | |||
+ | //NOTE:// We will configure tinyproxy to run as user //nobody// as well, but in tinyproxy' | ||
+ | |||
+ | |||
+ | ===== Virusscanner installation ===== | ||
+ | |||
+ | ClamAV is an Open Source virus scanner with a decent catch rate and a good virus pattern update policy. It is able to catch viruses in downloaded files as well as malicious HTML code (phishing and pharming for instance). Dansguardian supports clamav as a plugin contentscanner, | ||
+ | groupadd clamav | ||
+ | useradd -g clamav -s /bin/false clamav | ||
+ | ./configure --prefix=/ | ||
+ | --localstatedir=/ | ||
+ | --sysconfdir=/ | ||
+ | --with-user=clamav --with-group=clamav \ | ||
+ | --with-dbdir=/ | ||
+ | --with-libcurl \ | ||
+ | --with-tcpwrappers \ | ||
+ | --enable-milter \ | ||
+ | --enable-id-check | ||
+ | make | ||
+ | make install | ||
+ | </ | ||
+ | |||
+ | You'll have noticed that the above '' | ||
+ | To make dansguardian talk to the clamav program, their respective user accounts will need to have " | ||
+ | |||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | Next step is to configure our contentfilter. | ||
+ | |||
+ | ==== Proxy ==== | ||
+ | |||
+ | The content of the tinyproxy configuration file ''/ | ||
+ | I entered the domain name for my internal lan //my.net// in this configuration file. If yours is different, please change accordingly.\\ To show you where this differs from the tinyproxy defaults, here is a diff from the original file: <code diff> | ||
+ | diff / | ||
+ | 20c20 | ||
+ | < Port 8888 | ||
+ | --- | ||
+ | > Port 3128 | ||
+ | 27c27 | ||
+ | < #Listen 192.168.0.1 | ||
+ | --- | ||
+ | > Listen 127.0.0.1 | ||
+ | 112c112 | ||
+ | < #XTinyproxy mydomain.com | ||
+ | --- | ||
+ | > XTinyproxy my.net | ||
+ | 192c192 | ||
+ | < Allow 192.168.1.0/ | ||
+ | --- | ||
+ | > #Allow 192.168.2.0/ | ||
+ | </ | ||
+ | Port 3128 | ||
+ | Listen 127.0.0.1 | ||
+ | Allow 127.0.0.1 | ||
+ | These achieve the following: | ||
+ | * make tinyproxy listen on '' | ||
+ | * allow the localhost (IP address 127.0.0.1, for dansguardian) access - implicitly denying access attempts from any other IP address but 127.0.0.1. | ||
+ | |||
+ | ==== Contentfilter ==== | ||
+ | |||
+ | You will find the content of the dansguardian configuration file ''/ | ||
+ | diff / | ||
+ | 48a49 | ||
+ | > anonymizelogs = off | ||
+ | 74c75 | ||
+ | < filterip = | ||
+ | --- | ||
+ | > filterip = 127.0.0.1 | ||
+ | 97c98 | ||
+ | < accessdeniedaddress = ' | ||
+ | --- | ||
+ | > accessdeniedaddress = ' | ||
+ | 399c400 | ||
+ | < # | ||
+ | --- | ||
+ | > contentscanner = '/ | ||
+ | </ | ||
+ | filterip = 127.0.0.1 | ||
+ | filterport = 8080 | ||
+ | proxyip = 127.0.0.1 | ||
+ | proxyport = 3128 | ||
+ | They show that dansguardian | ||
+ | * will listen at the // | ||
+ | * will look for a compatible proxy at IP address: | ||
+ | |||
+ | The line | ||
+ | accessdeniedaddress = ' | ||
+ | does not really matter, because in dansguardian' | ||
+ | |||
+ | The line | ||
+ | contentscanner = '/ | ||
+ | should only be enabled when you install the optional [[http:// | ||
+ | # | ||
+ | </ | ||
+ | clamdudsfile = '/ | ||
+ | </ | ||
+ | LocalSocket / | ||
+ | </ | ||
+ | |||
+ | Of course, there is a lot of fine-tuning possibilities in this configuration file, as well as many others in the ''/ | ||
+ | |||
+ | ==== Virusscanner ==== | ||
+ | |||
+ | The ClamAV virusscanner consists of several components. The //clamd// program which does all the scanning and the // | ||
+ | |||
+ | * **/ | ||
+ | diff / | ||
+ | 8c8 | ||
+ | < Example | ||
+ | --- | ||
+ | > #Example | ||
+ | 43c43 | ||
+ | < #LogSyslog | ||
+ | --- | ||
+ | > LogSyslog | ||
+ | 48c48 | ||
+ | < # | ||
+ | --- | ||
+ | > LogFacility LOG_MAIL | ||
+ | </ | ||
+ | LocalSocket / | ||
+ | User clamav | ||
+ | AllowSupplementaryGroups </ | ||
+ | * The // | ||
+ | * The //User// keyword shows as which user the scanning daemon is running.\\ | ||
+ | * The // | ||
+ | |||
+ | * **/ | ||
+ | diff / | ||
+ | 9c9 | ||
+ | < Example | ||
+ | --- | ||
+ | > #Example | ||
+ | 26c26 | ||
+ | < #LogSyslog | ||
+ | --- | ||
+ | > LogSyslog | ||
+ | 31c31 | ||
+ | < # | ||
+ | --- | ||
+ | > LogFacility LOG_MAIL | ||
+ | 55c55 | ||
+ | < # | ||
+ | --- | ||
+ | > DatabaseMirror db.nl.clamav.net | ||
+ | </ | ||
+ | |||
+ | * Finally, that common group I previously mentioned, to which both the user IDs //clamav// and //nobody// belong, is what is left to configure. To see what groups a user ID belongs to, you use the '' | ||
+ | id nobody | ||
+ | id clamav | ||
+ | </ | ||
+ | usermod -G $(id -Gn clamav | tr ' ' ',' | ||
+ | usermod -G $(id -Gn clamav | tr ' ' ',' | ||
+ | usermod -G $(id -Gn nobody | tr ' ' ',' | ||
+ | </ | ||
+ | id nobody | ||
+ | id clamav | ||
+ | </ | ||
+ | |||
+ | ==== The iptables rules ==== | ||
+ | |||
+ | Now that we setup the content filter for the inspection of requested URLs and the retrieved web content, and the proxy to take care of the retrieval process, we still need to tell our computer that the outgoing web traffic should silently (transparently) be re-routed through this filter. This is where the Linux netfilter - aka the iptables firewall - comes into play.\\ | ||
+ | What our iptables rules need to do is: | ||
+ | * intercept the web traffic (requests destined at Internet web servers, targeted at their http port which is port 80) just before it exits the computer, and instead redirect this traffic to our dansguardian filter which is listening at a local TCP port (127.0.0.1: | ||
+ | * but only do this interception for users that we want to have restricted access. We define these as all local accounts except for root and any other privileged account you can think of (like, your own login account). | ||
+ | The basic NAT firewall rules that accomplish this are like this: < | ||
+ | # Full access to the userid of the dansguardian and tinyproxy (==nobody), and of freshclam (==clamav): | ||
+ | # Note that dansguardian needs to connect to tinyproxy at port 3128, | ||
+ | # tinyproxy needs to be able to connect to external servers at port 80 on behalf of the web browsers, | ||
+ | # and freshclam needs to be able to fetch virus definition updates. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | # Privileged user(s) will bypass the content filter: | ||
+ | PRIVUSERS=" | ||
+ | for user in $EXEMPTUSERS; | ||
+ | / | ||
+ | done | ||
+ | # What comes next is the catch-all. Any user account not listed above | ||
+ | # (nobody, clamav and $PRIVUSERS) is forced through the content filter. | ||
+ | # Redirect requests for web pages (http traffic) to the dansguardian listen port: | ||
+ | / | ||
+ | # Also catch the sneaky bastards that try to bypass dansguardian: | ||
+ | / | ||
+ | </ | ||
+ | < | ||
+ | Note that these iptables rules populate the NAT table (NAT is Network Address Translation). NAT rules are what you would ordinarily think of when configuring a firewall/ | ||
+ | </ | ||
+ | |||
+ | A nice script that implements these rules, and which accepts a start and a stop parameter, is listed in the [[# | ||
+ | chmod +x / | ||
+ | </ | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== No limits for admins and parents ===== | ||
+ | |||
+ | The message was hidden in the section on iptables, but I will repeat it in it's own section: | ||
+ | |||
+ | This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __// | ||
+ | |||
+ | PRIVUSERS=" | ||
+ | |||
+ | |||
+ | ===== Starting the programs ===== | ||
+ | |||
+ | We have assembled a series of scripts and programs that we should start somehow, so that they will provide the parental control we were setting up. They should be started when the computer boots, so that the protection is already active by the time our first computer user logs in.\\ | ||
+ | This is done by adding these commands and scripts to the file ''/ | ||
+ | |||
+ | If you (built and) installed my Slackware package for dansguardian, | ||
+ | chmod +x / | ||
+ | |||
+ | If you optionally (built and) installed my Slackware package for clamav, it's rc script is installed non-executable by default. In order to run clamav on boot (as shown below) you will have to make the script executable by running < | ||
+ | chmod +x / | ||
+ | |||
+ | If you configured your firewall rules in the file ''/ | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | To sum it all up, __we add these lines to the file ''/ | ||
+ | # Start clamav | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | |||
+ | # Start tinyproxy | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | |||
+ | # Start dansguardian | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | We're done!\\ Test your setup by alternately logging on as yourself and under one of the kids' accounts. Open a browser and try to access some pages you suspect might trigger a block or //access denied// from the content filter. If you plugged in ClamAV as virusscanner, | ||
+ | |||
+ | |||
+ | ===== Example configuration files ===== | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | #!/bin/sh | ||
+ | # | ||
+ | # Startup script for dansguardian | ||
+ | # | ||
+ | # processname: | ||
+ | # pidfile: / | ||
+ | # config: / | ||
+ | |||
+ | # File includes changes by Thomas Jarosch | ||
+ | function wait_for_pid() | ||
+ | { | ||
+ | local PID=$1 | ||
+ | local RET=0 | ||
+ | | ||
+ | if [ $PID -eq 0 ] ; then | ||
+ | return $RET | ||
+ | fi | ||
+ | | ||
+ | # give 60 secs then KILL | ||
+ | local COUNTDOWN=60 | ||
+ | |||
+ | while [ -d / | ||
+ | sleep 1 | ||
+ | COUNTDOWN=$[$COUNTDOWN-1] | ||
+ | done | ||
+ | |||
+ | if [ -d / | ||
+ | COMMAND=`ps h -o command ${PID}` | ||
+ | logger " | ||
+ | kill -KILL $PID >/ | ||
+ | RET=1 | ||
+ | fi | ||
+ | | ||
+ | return $RET | ||
+ | } | ||
+ | |||
+ | # See how we were called. | ||
+ | |||
+ | case " | ||
+ | start) | ||
+ | if [ -f / | ||
+ | [ -f / | ||
+ | echo -n " | ||
+ | if / | ||
+ | echo " OK" | ||
+ | else | ||
+ | echo " FAILED" | ||
+ | fi | ||
+ | fi | ||
+ | ;; | ||
+ | stop) | ||
+ | echo -n " | ||
+ | WAITPID=0 | ||
+ | if [ -f / | ||
+ | WAITPID=`cat / | ||
+ | fi | ||
+ | if / | ||
+ | if wait_for_pid $WAITPID ; then | ||
+ | echo " OK" | ||
+ | else | ||
+ | echo " FAILED" | ||
+ | fi | ||
+ | /bin/rm -f / | ||
+ | /bin/rm -f / | ||
+ | else | ||
+ | echo " FAILED" | ||
+ | fi | ||
+ | ;; | ||
+ | restart) | ||
+ | $0 stop | ||
+ | $0 start | ||
+ | ;; | ||
+ | status) | ||
+ | if [ -x / | ||
+ | / | ||
+ | else | ||
+ | echo " | ||
+ | fi | ||
+ | ;; | ||
+ | *) | ||
+ | echo " | ||
+ | ;; | ||
+ | esac | ||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | / | ||
+ | rotate 4 | ||
+ | weekly | ||
+ | sharedscripts | ||
+ | prerotate | ||
+ | / | ||
+ | sleep 5 | ||
+ | endscript | ||
+ | |||
+ | postrotate | ||
+ | / | ||
+ | endscript | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | #!/bin/sh | ||
+ | # Start/ | ||
+ | |||
+ | # Set to ' | ||
+ | MILTER=0 | ||
+ | |||
+ | # Start clamav: | ||
+ | clamav_start() { | ||
+ | if [ -x / | ||
+ | echo -n " | ||
+ | / | ||
+ | echo " | ||
+ | # Give clamd a chance to create the socket | ||
+ | sleep 1 | ||
+ | echo -n " | ||
+ | / | ||
+ | echo " | ||
+ | if [ " | ||
+ | echo -n " | ||
+ | / | ||
+ | echo " | ||
+ | fi | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | # Stop clamav: | ||
+ | clamav_stop() { | ||
+ | kill `cat / | ||
+ | #killall freshclam | ||
+ | kill `cat / | ||
+ | [ " | ||
+ | } | ||
+ | |||
+ | # Restart clamav: | ||
+ | clamav_restart() { | ||
+ | clamav_stop | ||
+ | sleep 1 | ||
+ | clamav_start | ||
+ | } | ||
+ | |||
+ | case " | ||
+ | ' | ||
+ | clamav_start | ||
+ | ;; | ||
+ | ' | ||
+ | clamav_stop | ||
+ | ;; | ||
+ | ' | ||
+ | clamav_restart | ||
+ | ;; | ||
+ | *) | ||
+ | echo "usage $0 start|stop|restart" | ||
+ | esac | ||
+ | </ | ||
+ | |||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | #!/bin/sh | ||
+ | # Start/ | ||
+ | |||
+ | # Privileged user(s) will be able to bypass the content filter: | ||
+ | PRIVUSERS=" | ||
+ | |||
+ | # Start firewall: | ||
+ | start() { | ||
+ | echo -n " | ||
+ | # Full access to the userid of the dansguardian and tinyproxy (==nobody), and of freshclam (==clamav): | ||
+ | # Note that dansguardian needs to connect to tinyproxy at port 3128, | ||
+ | # tinyproxy needs to be able to connect to external servers at port 80 on behalf of the web browsers, | ||
+ | # and freshclam needs to be able to fetch virus definition updates. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | for user in $EXEMPTUSERS; | ||
+ | / | ||
+ | done | ||
+ | # What comes next is the catch-all. Any user account not listed above | ||
+ | # (nobody, clamav and $PRIVUSERS) is forced through the content filter. | ||
+ | # Redirect requests for web pages (http traffic) to the dansguardian listen port: | ||
+ | / | ||
+ | # Also catch the sneaky bastards that try to bypass dansguardian: | ||
+ | / | ||
+ | echo " | ||
+ | } | ||
+ | |||
+ | # Stop firewall: | ||
+ | stop() { | ||
+ | echo -n " | ||
+ | # Basically, a " | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | for user in $EXEMPTUSERS; | ||
+ | / | ||
+ | done | ||
+ | / | ||
+ | / | ||
+ | echo " | ||
+ | } | ||
+ | |||
+ | # Restart firewall: | ||
+ | restart() { | ||
+ | stop | ||
+ | start | ||
+ | } | ||
+ | |||
+ | case " | ||
+ | ' | ||
+ | start | ||
+ | ;; | ||
+ | ' | ||
+ | stop | ||
+ | ;; | ||
+ | ' | ||
+ | restart | ||
+ | ;; | ||
+ | *) | ||
+ | echo "usage $0 start|stop|restart" | ||
+ | esac | ||
+ | </ |