noob got tangled in complex setup - please help!

[fazzi]

I have been reading around this board for a while and I hope that I can get a little help, or rather I hope that I can manage to explain my situation.

Here we go:

I have setup a little network system for a charity. I have a server box running squid/dansguardian as a virtual machine. Dansguardian is a content filtering solution that works well with the existing class of 9 computers. The proxy is fixed at 192.168.0.123. The computers range from 192.168.0.101 to 109.

The gateway for the class computers is the router 192.168.0.4.

The gateway for the proxy is also 192.168.0.4.

The browsers in all class computers are set to go through the proxy at 192.168.0.123

Everything works...BUT they wanted to setup access restriction for the class computers (e.g. students can use the internet only from 2 pm to 4 pm every day but bla bla bla)

I just got the Linksys WRT GL (linux version) and loaded the tomato firmware on it (great access restriction). I call it 192.168.0.5

How do I wire everything up to have both the content filtering and the access restrictions of the new box implemented all together?

I tried leaving 192.168.0.4 as is (gateway configuration) and setting up the new 192.168.0.5 as a routher (not gateway).

<class computers>---<switch>---<router 192.168.0.5>---<gateway 192.168.0.4>

here I connected the two routers in such a way that the WAN of 192.168.0.5 is connected to the LAN1 of 192.168.0.4 and the WAN of 192.168.0.4 is connected to the modem. Something hangs up!!! What should I do???

[+BudMan MVC]

Well for starters why would you have added another router??? There is no point to it, and 2nd that type of setup is a double nat.. again why??

Squid is more than capable of access control -- why would you have not looked into that vs getting another router??

http://www.linuxhomenetworking.com/wiki/in...s_Control_Lists

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

http://wiki.squid-cache.org/SquidFaq/Squid...bb69030e0b7c906

How can I allow some clients to use the cache at specific times?

Let's say you have two workstations that should only be allowed access to the Internet during working hours (8:30 - 17:30). You can use something like this:

acl FOO src 10.1.2.3 10.1.2.4

acl WORKING time MTWHF 08:30-17:30

http_access allow FOO WORKING

http_access deny FOO

How can I allow some users to use the cache at specific times?

acl USER1 proxy_auth Dick

acl USER2 proxy_auth Jane

acl DAY time 06:00-18:00

http_access allow USER1 DAY

http_access deny USER1

http_access allow USER2 !DAY

http_access deny USER2

etc.. etc.. etc... RTFM of the software your already using before spending money on something else ;)

[fazzi]

Thank you BudMan - I am fiddling with this right now. Hopefully I will get it to work!

One thing with the router option was that the GUI is extremely user friendly compared to the above. That is in case the local user admin wanted to change the restrictions without my involvement.

I am getting this to work now based on your recommendation...will report back!

[+BudMan MVC]

I fail to understand the logic to how just because there is a gui, it makes something easier??

A simple straight forward line that states Allow or Deny seems pretty Freaking easy to me ;)

Loot at it like this -- your text editor is your "GUI" to your config file -- so see a GUI can be used to edit your config ;)

[fazzi]

my network is 192.168.0.1-192.168.0.255

localhost is 127.0.0.1

I have everything set up in squid.conf as per instructions...filter works... dansguardian works except that the server cannot deny certain ip numbers e.g. 192.168.0.110!!!

It is as though it is treating everyone being on 127.0.0.1!!! The logs are good though. They tell me 192.168.0.110 did what and when.

Is there a problem in my routing? (Squid is 127.0.0.1 of course and locally it is 192.168.0.123) How do I fix this so it sees ip numbers (I am currently also using webmin but have ultimately gone into manual text editing)

Here is my other squid.conf:

http_port 127.0.0.1:3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_dir ufs /usr/local/squid/var/cache 100 16 256

access_log /usr/local/squid/var/logs/access.log squid

cache_log /usr/local/squid/var/logs/cache.log

auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#

acl our_networks src 192.168.0.1-192.168.0.255

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl purge method PURGE

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.1/255.255.255.255

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

http_access allow manager localhost

#

# follow_x_forwarded_for allow our_networks

#

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl Bad src 192.168.0.110

# acl WORKING time M T W H F 13:00-14:00

http_access deny Bad

http_access allow localhost

http_access allow our_networks

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

coredump_dir /usr/local/squid/var/cache

[+BudMan MVC]

Well how exactly are you users hitting squid? Since you have it only listening on 127.0.0.1

http_port 127.0.0.1:3128

Just set that to the port only, and it will listen on all IPs

BTW you have the acl for WORKING remarked out

"# acl WORKING time M T W H F 13:00-14:00"

[fazzi]

I changed to

Thanks for the suggestion...

http_port 3128

I know about the "#"

I am just trying to see if it blocks the "Bad"

and it still doesn't

?!!