Recommended Posts

I have been reading around this board for a while and I hope that I can get a little help, or rather I hope that I can manage to explain my situation.

Here we go:

I have setup a little network system for a charity. I have a server box running squid/dansguardian as a virtual machine. Dansguardian is a content filtering solution that works well with the existing class of 9 computers. The proxy is fixed at 192.168.0.123. The computers range from 192.168.0.101 to 109.

The gateway for the class computers is the router 192.168.0.4.

The gateway for the proxy is also 192.168.0.4.

The browsers in all class computers are set to go through the proxy at 192.168.0.123

Everything works...BUT they wanted to setup access restriction for the class computers (e.g. students can use the internet only from 2 pm to 4 pm every day but bla bla bla)

I just got the Linksys WRT GL (linux version) and loaded the tomato firmware on it (great access restriction). I call it 192.168.0.5

How do I wire everything up to have both the content filtering and the access restrictions of the new box implemented all together?

I tried leaving 192.168.0.4 as is (gateway configuration) and setting up the new 192.168.0.5 as a routher (not gateway).

<class computers>---<switch>---<router 192.168.0.5>---<gateway 192.168.0.4>

here I connected the two routers in such a way that the WAN of 192.168.0.5 is connected to the LAN1 of 192.168.0.4 and the WAN of 192.168.0.4 is connected to the modem. Something hangs up!!! What should I do???

Well for starters why would you have added another router??? There is no point to it, and 2nd that type of setup is a double nat.. again why??

Squid is more than capable of access control -- why would you have not looked into that vs getting another router??

http://www.linuxhomenetworking.com/wiki/in...s_Control_Lists

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

http://wiki.squid-cache.org/SquidFaq/Squid...bb69030e0b7c906

How can I allow some clients to use the cache at specific times?

Let's say you have two workstations that should only be allowed access to the Internet during working hours (8:30 - 17:30). You can use something like this:

acl FOO src 10.1.2.3 10.1.2.4

acl WORKING time MTWHF 08:30-17:30

http_access allow FOO WORKING

http_access deny FOO

How can I allow some users to use the cache at specific times?

acl USER1 proxy_auth Dick

acl USER2 proxy_auth Jane

acl DAY time 06:00-18:00

http_access allow USER1 DAY

http_access deny USER1

http_access allow USER2 !DAY

http_access deny USER2

etc.. etc.. etc... RTFM of the software your already using before spending money on something else ;)

Thank you BudMan - I am fiddling with this right now. Hopefully I will get it to work!

One thing with the router option was that the GUI is extremely user friendly compared to the above. That is in case the local user admin wanted to change the restrictions without my involvement.

I am getting this to work now based on your recommendation...will report back!

I fail to understand the logic to how just because there is a gui, it makes something easier??

A simple straight forward line that states Allow or Deny seems pretty Freaking easy to me ;)

Loot at it like this -- your text editor is your "GUI" to your config file -- so see a GUI can be used to edit your config ;)

my network is 192.168.0.1-192.168.0.255

localhost is 127.0.0.1

I have everything set up in squid.conf as per instructions...filter works... dansguardian works except that the server cannot deny certain ip numbers e.g. 192.168.0.110!!!

It is as though it is treating everyone being on 127.0.0.1!!! The logs are good though. They tell me 192.168.0.110 did what and when.

Is there a problem in my routing? (Squid is 127.0.0.1 of course and locally it is 192.168.0.123) How do I fix this so it sees ip numbers (I am currently also using webmin but have ultimately gone into manual text editing)

Here is my other squid.conf:

http_port 127.0.0.1:3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_dir ufs /usr/local/squid/var/cache 100 16 256

access_log /usr/local/squid/var/logs/access.log squid

cache_log /usr/local/squid/var/logs/cache.log

auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#

acl our_networks src 192.168.0.1-192.168.0.255

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl purge method PURGE

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.1/255.255.255.255

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

http_access allow manager localhost

#

# follow_x_forwarded_for allow our_networks

#

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl Bad src 192.168.0.110

# acl WORKING time M T W H F 13:00-14:00

http_access deny Bad

http_access allow localhost

http_access allow our_networks

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

coredump_dir /usr/local/squid/var/cache

Well how exactly are you users hitting squid? Since you have it only listening on 127.0.0.1

http_port 127.0.0.1:3128

Just set that to the port only, and it will listen on all IPs

BTW you have the acl for WORKING remarked out

"# acl WORKING time M T W H F 13:00-14:00"

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I haven't looked at this in a long time, but it seems to me that outside of a couple of 1st tier vendors, most didn't put the effort in, and we got the generic windows device images. When they did provide the info, it was cool and made it easier to identify devices, but most I dealt with did not, so it had limited usefulness to me.
    • Was really hoping they'd find a way to build this around the Ryzen AI Max+ 395 (or similar) silicon.
    • "running optimized Windows 11 versions" That will be key but I think it is just allowing the new launcher to be the GUI on bootup vs anything else. This thing uses the same hardware as the current ASUS ROG Ally devices, which is not as powerful as an Xbox Series S, but twice the cost.
    • AB Download Manager 1.6.4 by Razvan Serea AB Download Manager is an open-source, feature-rich download manager designed to accelerate downloads, organize files efficiently, and provide seamless control over downloads. With support for multiple connections, resume capability, and an intuitive interface, it enhances the downloading experience for users seeking speed and reliability. The software integrates with various browsers, enabling quick link grabbing and batch downloading. It supports HTTP, HTTPS, and FTP protocols, ensuring broad compatibility with different file sources. Users can schedule downloads, set speed limits, and categorize files automatically for better organization. AB Download Manager is lightweight yet powerful, making it a great alternative to proprietary download managers. Its open-source nature allows developers to contribute, customize, and improve the software as needed. Whether you're downloading large files, managing multiple downloads at once, or seeking an ad-free experience, this tool offers a practical and efficient solution. Key features of AB Download Manager: Multi-Connection Support – Accelerates downloads by splitting files into multiple segments. Resume Capability – Allows paused or interrupted downloads to be resumed without starting over. Batch Downloading – Supports downloading multiple files at once for improved efficiency. Browser Integration – Captures download links directly from browsers for seamless operation. HTTP, HTTPS, and FTP Support – Ensures compatibility with a wide range of file sources. Download Scheduling – Enables users to automate downloads at specific times. Speed Limiting – Lets users control bandwidth usage for optimized performance. File Categorization – Automatically organizes downloaded files into designated folders. User-Friendly Interface – Simple and intuitive design for easy navigation. Cross-Platform Compatibility – Works on multiple operating systems. Ad-Free Experience – No intrusive ads or tracking for a clean user experience. AB Download Manager 1.6.4 changelog: Added Queues are now visible on the home page, next to the categories (#661) In-app update is now supported on macOS (#627) New option to enable the native menu bar on macOS (#646) Fixed macOS: Window now activates properly when "Show Downloads" is clicked from the system tray (#632) Linux: Startup desktop entry now includes an icon (#634) An issue where the "Edit Download" page could unintentionally change the download status (#641) Queue status not updated properly sometimes (#663) Improved Translations updated Minor UI improvements Download: AB Download Manager 1.6.4 | Portable | ~80.0 MB (Open Source) Links: AB Download Manager Website | Github Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Dedicated
      Epaminombas earned a badge
      Dedicated
    • Veteran
      Yonah went up a rank
      Veteran
    • First Post
      viraltui earned a badge
      First Post
    • Reacting Well
      viraltui earned a badge
      Reacting Well
    • Week One Done
      LunaFerret earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      480
    2. 2
      +FloatingFatMan
      264
    3. 3
      snowy owl
      232
    4. 4
      ATLien_0
      231
    5. 5
      Edouard
      171
  • Tell a friend

    Love Neowin? Tell a friend!