Recommended Posts

I have been reading around this board for a while and I hope that I can get a little help, or rather I hope that I can manage to explain my situation.

Here we go:

I have setup a little network system for a charity. I have a server box running squid/dansguardian as a virtual machine. Dansguardian is a content filtering solution that works well with the existing class of 9 computers. The proxy is fixed at 192.168.0.123. The computers range from 192.168.0.101 to 109.

The gateway for the class computers is the router 192.168.0.4.

The gateway for the proxy is also 192.168.0.4.

The browsers in all class computers are set to go through the proxy at 192.168.0.123

Everything works...BUT they wanted to setup access restriction for the class computers (e.g. students can use the internet only from 2 pm to 4 pm every day but bla bla bla)

I just got the Linksys WRT GL (linux version) and loaded the tomato firmware on it (great access restriction). I call it 192.168.0.5

How do I wire everything up to have both the content filtering and the access restrictions of the new box implemented all together?

I tried leaving 192.168.0.4 as is (gateway configuration) and setting up the new 192.168.0.5 as a routher (not gateway).

<class computers>---<switch>---<router 192.168.0.5>---<gateway 192.168.0.4>

here I connected the two routers in such a way that the WAN of 192.168.0.5 is connected to the LAN1 of 192.168.0.4 and the WAN of 192.168.0.4 is connected to the modem. Something hangs up!!! What should I do???

Well for starters why would you have added another router??? There is no point to it, and 2nd that type of setup is a double nat.. again why??

Squid is more than capable of access control -- why would you have not looked into that vs getting another router??

http://www.linuxhomenetworking.com/wiki/in...s_Control_Lists

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

http://wiki.squid-cache.org/SquidFaq/Squid...bb69030e0b7c906

How can I allow some clients to use the cache at specific times?

Let's say you have two workstations that should only be allowed access to the Internet during working hours (8:30 - 17:30). You can use something like this:

acl FOO src 10.1.2.3 10.1.2.4

acl WORKING time MTWHF 08:30-17:30

http_access allow FOO WORKING

http_access deny FOO

How can I allow some users to use the cache at specific times?

acl USER1 proxy_auth Dick

acl USER2 proxy_auth Jane

acl DAY time 06:00-18:00

http_access allow USER1 DAY

http_access deny USER1

http_access allow USER2 !DAY

http_access deny USER2

etc.. etc.. etc... RTFM of the software your already using before spending money on something else ;)

Thank you BudMan - I am fiddling with this right now. Hopefully I will get it to work!

One thing with the router option was that the GUI is extremely user friendly compared to the above. That is in case the local user admin wanted to change the restrictions without my involvement.

I am getting this to work now based on your recommendation...will report back!

I fail to understand the logic to how just because there is a gui, it makes something easier??

A simple straight forward line that states Allow or Deny seems pretty Freaking easy to me ;)

Loot at it like this -- your text editor is your "GUI" to your config file -- so see a GUI can be used to edit your config ;)

my network is 192.168.0.1-192.168.0.255

localhost is 127.0.0.1

I have everything set up in squid.conf as per instructions...filter works... dansguardian works except that the server cannot deny certain ip numbers e.g. 192.168.0.110!!!

It is as though it is treating everyone being on 127.0.0.1!!! The logs are good though. They tell me 192.168.0.110 did what and when.

Is there a problem in my routing? (Squid is 127.0.0.1 of course and locally it is 192.168.0.123) How do I fix this so it sees ip numbers (I am currently also using webmin but have ultimately gone into manual text editing)

Here is my other squid.conf:

http_port 127.0.0.1:3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_dir ufs /usr/local/squid/var/cache 100 16 256

access_log /usr/local/squid/var/logs/access.log squid

cache_log /usr/local/squid/var/logs/cache.log

auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#

acl our_networks src 192.168.0.1-192.168.0.255

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl purge method PURGE

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.1/255.255.255.255

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

http_access allow manager localhost

#

# follow_x_forwarded_for allow our_networks

#

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl Bad src 192.168.0.110

# acl WORKING time M T W H F 13:00-14:00

http_access deny Bad

http_access allow localhost

http_access allow our_networks

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

coredump_dir /usr/local/squid/var/cache

Well how exactly are you users hitting squid? Since you have it only listening on 127.0.0.1

http_port 127.0.0.1:3128

Just set that to the port only, and it will listen on all IPs

BTW you have the acl for WORKING remarked out

"# acl WORKING time M T W H F 13:00-14:00"

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I am linking it for anyone that runs Windows 11 that isn't specifically you that is following our conversation, since it is likely that others have the problem. As you can see, it isn't the slightest bit pointless at all.
    • Firefox 139.0.4 by Razvan Serea Firefox is a fast, full-featured Web browser. It offers great security, privacy, and protection against viruses, spyware, malware, and it can also easily block pop-up windows. The key features that have made Firefox so popular are the simple and effective UI, browser speed and strong security capabilities. Firefox has complete features for browsing the Internet. It is very reliable and flexible due to its implemented security features, along with customization options. Firefox includes pop-up blocking, tab-browsing, integrated Google search, simplified privacy controls, a streamlined browser window that shows you more of the page than any other browser and a number of additional features that work with you to help you get the most out of your time online. Download: Firefox 64-bit | Firefox 32-bit | ARM64 | ~60.0 MB (Freeware) Download: Firefox 139.0.4 for Linux | 64-bit | ~90.0 MB Download: Firefox for MacOS | 127.0 MB View: Firefox Home Page | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Joplin 3.3.13 by Razvan Serea Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are searchable, can be copied, tagged and modified either from the applications directly or from your own text editor. Notes exported from Evernote can be imported into Joplin, including the formatted content (which is converted to Markdown), resources (images, attachments, etc.) and complete metadata (geolocation, updated time, created time, etc.). Plain Markdown files can also be imported. The notes can be securely synchronised using end-to-end encryption with various cloud services including Nextcloud, Dropbox, OneDrive and Joplin Cloud. Full text search is available on all platforms to quickly find the information you need. The app can be customised using plugins and themes, and you can also easily create your own. The application is available for Windows, Linux, macOS, Android and iOS. A Web Clipper, to save web pages and screenshots from your browser, is also available for Firefox and Chrome. Features Web Clipper for Firefox and Chrome. End To End Encryption (E2EE). Note history (revisions). Synchronisation with various services, including Nextcloud, Dropbox, WebDAV and OneDrive. Offline first, so the entire data is always available on the device even without an internet connection. Import Enex files (Evernote export format) and Markdown files. Export JEX files (Joplin Export format) and raw files. Support notes, to-dos, tags and notebooks. Sort notes by multiple criteria - title, updated time, etc. Support for alarms (notifications) in mobile and desktop applications. Markdown notes, which are rendered with images and formatting in the desktop and mobile applications. Support for extra features such as math notation and checkboxes. Choice of both Markdown and Rich Text (WYSIWYG) editors. File attachment support - images are displayed, other files are linked and can be opened in the relevant application. Inline display of PDF, video and audio files. Goto Anything feature. Search functionality. Geo-location support. Supports multiple languages. External editor support - open notes in your favorite external editor with one click in Joplin. Extensible functionality through plugin and data APIs. Custom CSS support for customisation of both the rendered markdown and overall user interface. Customisable layout allows toggling, movement and sizing of various elements. Keyboard shortcuts are editable and allow binding of most Joplin commands with export/import functionality. Joplin 3.3.13 changelog: Fixed: Fix printing (#12244) (#12240 by @personalizedrefrigerator) Download: Joplin 3.3.13 | Joplin Portable | ~300 MB (Open Source) Download: MacOS | Android | Linux | iOS View: Joplin Home Page | GitHub project page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Apple: lets take our inspiration from Windows 7/Vista and call it innovative
    • Nice! My $100 refurbished iPad 8 that I bought last year for a small project (and still runs like new cuz it's been mostly in storage the past several months) will get this v26 upgrade. I'm definitely gonna scope out OS26 on this device before upgrading my also-supported refurbished iPhone SE 3rd Gen (only got it for the 5G UW support).
  • Recent Achievements

    • Dedicated
      MadMung0 earned a badge
      Dedicated
    • Rookie
      CHUNWEI went up a rank
      Rookie
    • Enthusiast
      the420kid went up a rank
      Enthusiast
    • Conversation Starter
      NeoToad777 earned a badge
      Conversation Starter
    • Week One Done
      VicByrd earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      506
    2. 2
      ATLien_0
      267
    3. 3
      +FloatingFatMan
      257
    4. 4
      Edouard
      203
    5. 5
      snowy owl
      178
  • Tell a friend

    Love Neowin? Tell a friend!