Welcome to Eric Hameleers (Alien BOB)'s Wiki pages.

If you want to support my work, please consider a small donation:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

slackware:parentalcontrol [2006/09/30 10:55]
alien Emphasize difference between PREROUTING and OUTPUT chains.
slackware:parentalcontrol [2008/05/18 13:27] (current)
alien Newer dansguardian version number.
Line 17: Line 17:
   * Yet allow unlimited Internet access for the parents' login account, and for //root//.   * Yet allow unlimited Internet access for the parents' login account, and for //root//.
 The sections on compiling and installing tinyproxy and dansguardian are taken from that other article, to make //this// article self-contained. I still encourage you to read the [[:slackware:proxy|transparent proxy]] article if you want to know a little more on the background of (transparent) proxying and content filtering. The sections on compiling and installing tinyproxy and dansguardian are taken from that other article, to make //this// article self-contained. I still encourage you to read the [[:slackware:proxy|transparent proxy]] article if you want to know a little more on the background of (transparent) proxying and content filtering.
 +
  
  
 ===== Proxy installation ===== ===== Proxy installation =====
  
-The [[http://tinyproxy.sf.net/|homepage for tinyproxy]] has download links for "stable" and "devel" versions. I decided to just use the "devel" release since it looks like the current maintainer is looking for someone to take over the project and the software has not had an update for a long time. The "devel" program however is actually quite stable. \\ +The [[http://tinyproxy.sf.net/|homepage for tinyproxy]] has download links for "stable" and "devel" versions. I have used the "devel" version in the past, but I decided to switch to the "stable" release since that was actually released many months after the latest development release. Although this software has not had an update for a long time, the tinyproxy web site shows new activities, so I expect new releases to appear anytime soon. The "devel" program however is actually quite stable. \\ 
 Tinyproxy must explicitly be build for transparent proxy support. If you want to compile and install the software manually, this is what you would do: <code> Tinyproxy must explicitly be build for transparent proxy support. If you want to compile and install the software manually, this is what you would do: <code>
-tar -zxvf tinyproxy-1.7.0.tar.gz +tar -zxvf tinyproxy-1.6.3.tar.gz 
-cd tinyproxy-1.7.0+cd tinyproxy-1.6.3
 ./configure --prefix=/usr \ ./configure --prefix=/usr \
             --localstatedir=/var \             --localstatedir=/var \
Line 38: Line 39:
 make install make install
 </code> If you rather install a Slackware package or want to use a SlackBuild script to create a Slackware package, you'll find all you need in [[http://www.slackware.com/~alien/slackbuilds/tinyproxy/|my repository]] </code> If you rather install a Slackware package or want to use a SlackBuild script to create a Slackware package, you'll find all you need in [[http://www.slackware.com/~alien/slackbuilds/tinyproxy/|my repository]]
 +
  
 ===== Contentfilter installation ===== ===== Contentfilter installation =====
  
 The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\  The dansguardian software is actively maintained. You will need the basic software package you can download from the [[http://dansguardian.org/|dansguardian homepage]]. It's default configuration will already be sufficient for a lot of people. If you want more extensive URL blacklists or badword lists you can look at the website. Some extensions you'll find have to be paid for however.\\ 
-Although the most current release is in the //ALPHA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> +Although the most current release is in the //BETA// download section, it's actually quite stable. I used that for my install. For the manually compiling people: <code> 
-tar -zxvf dansguardian-2.9.7.0.tar.gz +tar -zxvf dansguardian-2.9.9.4.tar.gz 
-cd dansguardian-2.9.7.0+cd dansguardian-2.9.9.4
 ./configure --prefix=/usr \ ./configure --prefix=/usr \
             --localstatedir=/var \             --localstatedir=/var \
Line 51: Line 53:
             --enable-clamd \             --enable-clamd \
             --enable-email \             --enable-email \
 +            --enable-commandline \
             --with-proxyuser=nobody \             --with-proxyuser=nobody \
             --with-proxygroup=nobody             --with-proxygroup=nobody
Line 212: Line 215:
 id clamav id clamav
 </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code>
-usermod -G $(id -Gn clamav | tr ' ' ','),nobody clamav +gpasswd -clamav nobody 
-usermod -G $(id -Gn clamav | tr ' ' ','),nogroup clamav +gpasswd -clamav nogroup 
-usermod -G $(id -Gn nobody | tr ' ' ','),clamav nobody+gpasswd -nobody clamav
 </code> Verify that this worked, by again running <code> </code> Verify that this worked, by again running <code>
 id nobody id nobody
Line 236: Line 239:
 # Privileged user(s) will bypass the content filter: # Privileged user(s) will bypass the content filter:
 PRIVUSERS="root alien" PRIVUSERS="root alien"
-for user in $EXEMPTUSERS; do+for user in $PRIVUSERS; do
   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT
 done done
Line 260: Line 263:
 The message was hidden in the section on iptables, but I will repeat it in it's own section: The message was hidden in the section on iptables, but I will repeat it in it's own section:
  
-This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: +This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: <code> 
- +PRIVUSERS="root alien" 
-  PRIVUSERS="root alien" +</code>
  
 ===== Starting the programs ===== ===== Starting the programs =====
Line 486: Line 488:
   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT
   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT   /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT
-  for user in $EXEMPTUSERS; do+  for user in $PRIVUSERS; do
     /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT     /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT
   done   done
Line 505: Line 507:
   /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT   /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner nobody -j ACCEPT
   /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT   /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80   -m owner --uid-owner clamav -j ACCEPT
-  for user in $EXEMPTUSERS; do+  for user in $PRIVUSERS; do
     /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT     /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT
   done   done

Personal Tools
sponsoring