Filter your LAN with Squid/OpenDNS

[inittux]

 

I've been wanting to filter my own network traffic by running it through a proxy. So I did some reseach of how to

set it up and configure it. My first plan was to use squid and dansguardian but I found an easier way to do it.

Here's how I did it for those who come across this post.

 

I used squid and openDNS:

 

1. Install Squid: yum install squid

2. Configure Squid: add hostname, user/group, port, and DNS option

 

*Edit configuration file with you favorite editor: vi /etc/squid/squid.conf

a. Add: visible_hostname Proxy-name

b. Add: cache_effective_user squid

c. Add: cache_effective_group squid

d. Add: shutdown_lifetime 20 seconds

e. Add: port 3128 to: http_port 3128

f. Add DNS option: dns_nameservers 208.67.222.123 208.67.220.123 #OpenDNS Nameservers

g. uncommented: cache_dir ufs /var/spool/squid 100 16 256

h. save your file: :wq

 

3. Restart Squid: service squid restart

4. Edit your firewall: I used system-config-firewall-tui

a. Add tcp port 3128 and run through the options, no others needed and when done iptables will be restarted.

4. for the client side you need to setup the proxy for firefox or whatever browser you want. I use firefox.

a. Extra-->Options-->Advanced-->Network-->Settings: manual proxy configuration: set your ip/port: 192.168.1.100:3128

b. Klik Ok and try browsing(Test).

c. Done.

 

On my home situation I don't need to lock out the clients from being able to edit the browser options. But you can change

the rights if you need it for your situation:

 

Ubuntu:

1. chown root /usr/bin/gnome-network-properties

2. chmod ug-x /usr/bin/gnome-network-properties

 

Window: You probably only need to let your users login with normal users accounts.

 

You can also force all the pc's on your network to go through your proxy via iptables, but I didn't find it

necesarry. Another way of filtering your webcontent is by using dansguardian, but I find this way just as effective

and easier to do setup. With Dansguardian you can add your own blacklists/whitelists of sites. The only disadvantages I found

is that you have alot of configuring to do, cause when you set it up and add a blacklist. You have to whitelist everything that's

blacklisted in your blacklist folder. Example I wasn't able to access a topic on this forum because I had the word porn in the topic.

I'm real happy with OpenDNS and when you get redirected from a blocked porn site you can also click on send messages to

system administrator using your openDNS account email adress which you can set in the OpenDNS panel and the most important

thing is that it's free [img]<___base_url___>//public/style_emoticons/default/biggrin.png[/img]

[hybrid]

Great post!

Am I right in thinking you're using OpenDNS to do all the filtering, and Squid is just acting as an additional cache for speed reasons, or is there something else that Squid is doing here that I missed?

 

It's been a while since I played with Squid, so it's interesting to see how you're using it!

[inittux]

Yeah I'm using OpenDNS to do all off the filtering, having cache wasn't my main concern but it does add some extra speed. My basic need was to be able let all my internet traffic go through one central point so it can get filtered. Although OpenDNS doesn't pick up all every single little adult piece of adult content, I could add do more configuring on squid to block it. Or to setup squid as a transparent proxy and then let it go through dansguardian and have blacklists setup there.