Skip to main content

DansGuardian Setup with DD-WRT Forwarding


Recently my PacketProtector UTM died, and because the PacketProtector site has gone down, I started looking for another solution to protect the kids.  Here were my requirements:
1) it had to be a network solution, external to the kids boxes, so they couldn't get around it
2) it had to be a router solution, as I didn't want to put a box on my network consuming power and making noise

Smoothwall is a great solution, if only it were in a router.  I really wanted a router solution like I had with PacketProtector, but upon searching, nobody seems to have gotten Smoothwall or Dansguardian working as an embedded solution on a router.  I was amazed that nobody has gotten Dansguardian integrated into dd-wrt!  

So here is my solution:  Since the kids are on their own network, which I want protected, I set up a DansGuardian proxy box as a VM on the existing network outside of their network, and forwarded all packets from their network through this proxy. 

DansGuardian Set Up

So, I installed DansGuardian as a VM on the outside network, using Fedora 14 as the host, according to the instructions at www.liberiangeek.net/2010/04/how-to-install-dansguardian-web-content-filter-in-fedora/

Basically, this install went like this:
1) install Fedora 14 and patch it
2) System->Admin->Add/Remove Software->Add Squid
3) System->Admin->Add/Remove Software->Add Dansguardian
4) vi /etc/squid/squid.conf to change line 3128 from
      "http port 3128" 
      to
      "http port 3128 transparent"
5) automatically start DansGuardian by typing 'su -c chkconfig dansguardian on'
6) automatically start Squid by typing 'su -c chkconfig squid on'
7) check that Dansguardian is working:
    System->Preferences->Network Proxy
    Check 'Manual Proxy Config"
    Check 'Use the same proxy for all protocols'
    make the http proxy 127.0.0.1 on port 8080 
    Bring up a browser and go to some porn site... it should be blocked from the Fedora Box. 
8) make 8080 reachable from outside the box:
    System->Admin->Firewall->Other Ports, Add 8080 as TCP 

Now that DansGuardian is listening on port 8080, and forwarding to Squid on 3128, the proxy is set up.  Next is to put an IPTables Rule in the kids router to forward all web traffic to this Fedora Box on port 8080.  

DD-WRT Setup:

This site gives info on how to put in a rule on a DD-WRT router:  http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy

Basically, copy this script to your dd-wrt router under Admin-Commands:

#!/bin/sh
PROXY_IP=192.168.1.10
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

Then press the "Save Firewall" button, and reboot.  

Now the kids web traffic is being routed from the dd-wrt router, to DansGuardian to Squid, to the website, and back to Squid for proxying, through DansGuadian for filtering, and back to their PC.  

DansGuardian Tweaking:

Since I have a young child, I wanted to lock down DansGuardian a bit more than the default, which seemed to be "young adult"

I changed weightedphrasemode from 2 to 1 in /etc/dansguardian/dansguardian.conf.   
I also commented out .cab as an extension in the /etc/dansguardian/lists/bannedextenstionlist because I wanted Windows to be able to do an update.

That was it!   Now when the kids try to go to inappropriate sites, they'll get blocked like this:


Comments

  1. Great article! Only one problem, Free Blacklists Suck!


    We specialize in serving intelligent network administrators high quality blacklists for effective, targeted inline web filtering.
    There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.

    It would be our pleasure to serve you,

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete

Post a Comment

Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from: http://www.amazon.com/gp/product/B00C37AZXK/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, www.wve.org) ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…