Recommended Posts

I have been reading around this board for a while and I hope that I can get a little help, or rather I hope that I can manage to explain my situation.

Here we go:

I have setup a little network system for a charity. I have a server box running squid/dansguardian as a virtual machine. Dansguardian is a content filtering solution that works well with the existing class of 9 computers. The proxy is fixed at 192.168.0.123. The computers range from 192.168.0.101 to 109.

The gateway for the class computers is the router 192.168.0.4.

The gateway for the proxy is also 192.168.0.4.

The browsers in all class computers are set to go through the proxy at 192.168.0.123

Everything works...BUT they wanted to setup access restriction for the class computers (e.g. students can use the internet only from 2 pm to 4 pm every day but bla bla bla)

I just got the Linksys WRT GL (linux version) and loaded the tomato firmware on it (great access restriction). I call it 192.168.0.5

How do I wire everything up to have both the content filtering and the access restrictions of the new box implemented all together?

I tried leaving 192.168.0.4 as is (gateway configuration) and setting up the new 192.168.0.5 as a routher (not gateway).

<class computers>---<switch>---<router 192.168.0.5>---<gateway 192.168.0.4>

here I connected the two routers in such a way that the WAN of 192.168.0.5 is connected to the LAN1 of 192.168.0.4 and the WAN of 192.168.0.4 is connected to the modem. Something hangs up!!! What should I do???

Well for starters why would you have added another router??? There is no point to it, and 2nd that type of setup is a double nat.. again why??

Squid is more than capable of access control -- why would you have not looked into that vs getting another router??

http://www.linuxhomenetworking.com/wiki/in...s_Control_Lists

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

http://wiki.squid-cache.org/SquidFaq/Squid...bb69030e0b7c906

How can I allow some clients to use the cache at specific times?

Let's say you have two workstations that should only be allowed access to the Internet during working hours (8:30 - 17:30). You can use something like this:

acl FOO src 10.1.2.3 10.1.2.4

acl WORKING time MTWHF 08:30-17:30

http_access allow FOO WORKING

http_access deny FOO

How can I allow some users to use the cache at specific times?

acl USER1 proxy_auth Dick

acl USER2 proxy_auth Jane

acl DAY time 06:00-18:00

http_access allow USER1 DAY

http_access deny USER1

http_access allow USER2 !DAY

http_access deny USER2

etc.. etc.. etc... RTFM of the software your already using before spending money on something else ;)

Thank you BudMan - I am fiddling with this right now. Hopefully I will get it to work!

One thing with the router option was that the GUI is extremely user friendly compared to the above. That is in case the local user admin wanted to change the restrictions without my involvement.

I am getting this to work now based on your recommendation...will report back!

I fail to understand the logic to how just because there is a gui, it makes something easier??

A simple straight forward line that states Allow or Deny seems pretty Freaking easy to me ;)

Loot at it like this -- your text editor is your "GUI" to your config file -- so see a GUI can be used to edit your config ;)

my network is 192.168.0.1-192.168.0.255

localhost is 127.0.0.1

I have everything set up in squid.conf as per instructions...filter works... dansguardian works except that the server cannot deny certain ip numbers e.g. 192.168.0.110!!!

It is as though it is treating everyone being on 127.0.0.1!!! The logs are good though. They tell me 192.168.0.110 did what and when.

Is there a problem in my routing? (Squid is 127.0.0.1 of course and locally it is 192.168.0.123) How do I fix this so it sees ip numbers (I am currently also using webmin but have ultimately gone into manual text editing)

Here is my other squid.conf:

http_port 127.0.0.1:3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_dir ufs /usr/local/squid/var/cache 100 16 256

access_log /usr/local/squid/var/logs/access.log squid

cache_log /usr/local/squid/var/logs/cache.log

auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#

acl our_networks src 192.168.0.1-192.168.0.255

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl purge method PURGE

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.1/255.255.255.255

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

http_access allow manager localhost

#

# follow_x_forwarded_for allow our_networks

#

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl Bad src 192.168.0.110

# acl WORKING time M T W H F 13:00-14:00

http_access deny Bad

http_access allow localhost

http_access allow our_networks

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

coredump_dir /usr/local/squid/var/cache

Well how exactly are you users hitting squid? Since you have it only listening on 127.0.0.1

http_port 127.0.0.1:3128

Just set that to the port only, and it will listen on all IPs

BTW you have the acl for WORKING remarked out

"# acl WORKING time M T W H F 13:00-14:00"

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Nope. This will be disabled instantly on all my devices. But at least they're not forcing it upon users, it can be turned off.
    • But, but, Meta did not have address to your data? I don’t believe this cap. Why-o-why don’t I trust them?!
    • They're not lying in this case, violating your privacy and safety is certainly of utmost importance to Zuck and his creeps...
    • Microsoft employee behind AnduinOS releases more updates, here's how to upgrade by Paul Hill A small Linux distribution created by a Microsoft employee drew quite a bit of attention in recent months with its attempts to ease users into Linux by looking just like Windows. This week, AnduinOS was upgraded to a new batch of point releases, including 1.3.3, 1.2.6, and 1.1.6. These point releases do not bring too many changes, and all the changes that are introduced are identical across all three versions. Here are the release notes this time: Fixed an accessibility issue that caused the screen reader unable to read the text. Added librime-plugin-lua for ibus-rime users to support Lua scripts. This only affects zh_CN by default. Added policykit-desktop-privileges to the default app list to allow no-password prompts for mount, simple updates, etc. As a new Linux distribution on the scene, updating it is not as straightforward as opening a software store and tapping the upgrade button. For now, upgrades rely on a script. To update your computer using this script, open up a terminal window and type do_anduinos_upgrade. Running this command will bring you up to the latest point release for your respective major version, even if you’re not on the latest point release right now. In the future, Anduin Xue, the Microsoft employee who develops AnduinOS, wants to allow you to grab new versions via sudo apt upgrade. For the time being, users will need to stick to running the script to ensure their device is up to date. Last month, it was announced that AnduinOS 1.4 will be based on Ubuntu 25.10 and will drop in late October, while Anduin OS 1.5 will be based on Ubuntu 26.04 LTS and arrive in late April 2026. Hopefully, we will see more maturation with those updates, such as upgrading the system with an apt command instead of a script.
    • I know companies like to assume first party ads are okay, and I often don't have a huge problem with things like extra iCloud space offers showing up in relevant places. Relevant being the keyword. There is literally nowhere on a phone where a movie ad would ever be in context.
  • Recent Achievements

    • First Post
      solidox earned a badge
      First Post
    • First Post
      BA the Curmudgeon earned a badge
      First Post
    • One Year In
      blissa jayden earned a badge
      One Year In
    • One Month Later
      blissa jayden earned a badge
      One Month Later
    • Week One Done
      blissa jayden earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      561
    2. 2
      ATLien_0
      213
    3. 3
      +FloatingFatMan
      171
    4. 4
      Michael Scrip
      152
    5. 5
      Som
      151
  • Tell a friend

    Love Neowin? Tell a friend!