IpTables Gurus out there?
Jun. 7th, 2006 10:47 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
elfsI have a rather ordinary set-up at home: A mini-tower box running Linux acts as my firewall, using NAT to assist everyone inside the house from getting out but preventing anyone from getting in. It's not perfect, but it's your standard solid setup. I haven't had any problem with it and I keep it updated.
I would like to run Dan's Guardian on the NAT box, but I would like only some of the machines in the house to be routed through it, namely, the kids'. Dan's Guardian is basically a proxy that uses a cache (Squid, in this case) to retrieve content from the web, and then analyzes both the addresses and the content for things you might not want.
Can anybody tell me what the iptables magic is for directing traffic from a specific host on a specific subnet to the proxy engine? The idea here is to prevent anything that tries to "route around" the proxy (like, the kids figure out how to turn "use proxy" off on their browsers) from being able to go anywhere without going through it.
I would like to run Dan's Guardian on the NAT box, but I would like only some of the machines in the house to be routed through it, namely, the kids'. Dan's Guardian is basically a proxy that uses a cache (Squid, in this case) to retrieve content from the web, and then analyzes both the addresses and the content for things you might not want.
Can anybody tell me what the iptables magic is for directing traffic from a specific host on a specific subnet to the proxy engine? The idea here is to prevent anything that tries to "route around" the proxy (like, the kids figure out how to turn "use proxy" off on their browsers) from being able to go anywhere without going through it.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-06-07 06:28 pm (UTC)no subject
Date: 2006-06-07 06:30 pm (UTC)My internal network is on eth0, my upstream peer is eth1. Here's how I redirect all outbound traffic on 80/tcp (HTTP) to my Squid caching proxy on 3128/tcp:
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
If I wanted to restrict it to a particular host, I'd add "-S a.b.c.d/32" for the host's IP.
no subject
Date: 2006-06-07 06:42 pm (UTC)no subject
Date: 2006-06-07 09:30 pm (UTC)no subject
Date: 2006-06-07 06:36 pm (UTC)Personally I have migrated to using OpenBSD w/ PF. (Much easier to write rulesets and supports ALTQ so if you get someone running a fileshare they don't eat all of your bandwidth.)
no subject
Date: 2006-06-07 06:50 pm (UTC)If you enable the filtering on a per-IP basis, then the kids figuring out how to change their IP seems only a few steps more compilcated than figuring out how to turn off 'use proxy'.
You might get more security by forcing everyone to go through the proxy with authentication required. Block out-bound port 80/443/8000/8080/etc. from all but the firewall, then (en|dis)able filtering on a per-account basis. I've no idea if Dan's can accomplish such a thing nor if you or your kids would deal well with login prompts for browsing.
Another possible approach might be to route ALL hosts except the 'adult' machines through the proxy instead of specifically routing only the kids' machines. If the adult machines are always turned on & connected, then that should effectively prevent anyone from stealing their unfiltered IP's.
Good luck in any case! I'm not yet at the point that I need to worry about my son's browsing habits (he's six), but I'm not much looking forward to the impending battle.
no subject
Date: 2006-06-07 06:58 pm (UTC)Configure ALL traffic outbound on 80/tcp and friends to go through the sanitizing proxy. Then, set up a pass-through proxy on some arbitrary port. Configure the *adult* machines to "use proxy" but use the pass-through proxy.
So, to circumvent the sanitizing proxy, your kids would have to figure out how to configure their browsers to explicitly use your pass-through proxy.
no subject
Date: 2006-06-07 07:25 pm (UTC)The only fix for that would be to open up the box and stick in a rogue ethernet card. I'm not sure a nine-year-old is quite there yet.
I am sure that someday one of them will figure out how to get past all of the barriers-- xscreensaver-lock, whatever Omaha has on her MAC, and so forth. The rule there is much the same as why we keep all the adult books on the top shelf: when they're tall enough, and interested enough, to start taking those down, it's seriously time to start talking to them about what happens next.
Measures of maturity
Date: 2006-06-07 10:20 pm (UTC)I looked at the setup, figured out how to bypass the proxy server, and told 'em it was easy and as soon as they figured it out themselves I'd run interference with their mom on letting 'em have free access to the net.
So I think of it as a maturity test and incentive: When they can figure out how to bypass the system there's nothin' I can really do anyway, so I may as well make it a learning experience.
I'm actually not sure if they ever did bypass it, shortly thereafter cablemodem came to the valley and dial-ups through the school system fell by the wayside, but I do know now, years later, that their LAN parties went to gigabit ethernet not because of latency in gaming, but because copying terabytes of hentai around on 100baseT just wasn't working...
no subject
Date: 2006-06-08 07:27 am (UTC)no subject
Date: 2006-06-07 07:07 pm (UTC)iptables -A FORWARD --src <kids' machine> -m tcp --dport 80 -j REJECT