Skip to main content

DansGuardian Setup with DD-WRT Forwarding


Recently my PacketProtector UTM died, and because the PacketProtector site has gone down, I started looking for another solution to protect the kids.  Here were my requirements:
1) it had to be a network solution, external to the kids boxes, so they couldn't get around it
2) it had to be a router solution, as I didn't want to put a box on my network consuming power and making noise

Smoothwall is a great solution, if only it were in a router.  I really wanted a router solution like I had with PacketProtector, but upon searching, nobody seems to have gotten Smoothwall or Dansguardian working as an embedded solution on a router.  I was amazed that nobody has gotten Dansguardian integrated into dd-wrt!  

So here is my solution:  Since the kids are on their own network, which I want protected, I set up a DansGuardian proxy box as a VM on the existing network outside of their network, and forwarded all packets from their network through this proxy. 

DansGuardian Set Up

So, I installed DansGuardian as a VM on the outside network, using Fedora 14 as the host, according to the instructions at www.liberiangeek.net/2010/04/how-to-install-dansguardian-web-content-filter-in-fedora/

Basically, this install went like this:
1) install Fedora 14 and patch it
2) System->Admin->Add/Remove Software->Add Squid
3) System->Admin->Add/Remove Software->Add Dansguardian
4) vi /etc/squid/squid.conf to change line 3128 from
      "http port 3128" 
      to
      "http port 3128 transparent"
5) automatically start DansGuardian by typing 'su -c chkconfig dansguardian on'
6) automatically start Squid by typing 'su -c chkconfig squid on'
7) check that Dansguardian is working:
    System->Preferences->Network Proxy
    Check 'Manual Proxy Config"
    Check 'Use the same proxy for all protocols'
    make the http proxy 127.0.0.1 on port 8080 
    Bring up a browser and go to some porn site... it should be blocked from the Fedora Box. 
8) make 8080 reachable from outside the box:
    System->Admin->Firewall->Other Ports, Add 8080 as TCP 

Now that DansGuardian is listening on port 8080, and forwarding to Squid on 3128, the proxy is set up.  Next is to put an IPTables Rule in the kids router to forward all web traffic to this Fedora Box on port 8080.  

DD-WRT Setup:

This site gives info on how to put in a rule on a DD-WRT router:  http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy

Basically, copy this script to your dd-wrt router under Admin-Commands:

#!/bin/sh
PROXY_IP=192.168.1.10
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

Then press the "Save Firewall" button, and reboot.  

Now the kids web traffic is being routed from the dd-wrt router, to DansGuardian to Squid, to the website, and back to Squid for proxying, through DansGuadian for filtering, and back to their PC.  

DansGuardian Tweaking:

Since I have a young child, I wanted to lock down DansGuardian a bit more than the default, which seemed to be "young adult"

I changed weightedphrasemode from 2 to 1 in /etc/dansguardian/dansguardian.conf.   
I also commented out .cab as an extension in the /etc/dansguardian/lists/bannedextenstionlist because I wanted Windows to be able to do an update.

That was it!   Now when the kids try to go to inappropriate sites, they'll get blocked like this:


Comments

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosmart Essential, HP

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" I al

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page https://github.com/secur