Yay, finally write again…This blog should be updated one post each month but i ruined it, hahaha….Well, about a couple weeks ago i just finished my silly mocky filter. The filter is squid 3.1.10 installed on slackware laptop using slackbuild script. Yes i run squid on my laptop. So, it’s like some kinda “proxy on a single PC” or “localhost proxy”. That’s why i choose call it filter instead proxy
The first step is by use Nawala Nusantara as a dns_nameservers. Nawala is a free service that can be used by internet users who need a filter against negative sites. It’s like OpenDNS with Indonesian taste. You can go to Nawala here. Oh just for your info, Indonesia Goverment has ordered all Internet Service Provider to block porn sites since the 2nd week of August 2010. Most of ISPs use proxy for their home based product, so by default porn sites has been blocked by my ISP. But dns filter is not too effective since they just block sites on their blacklist. There are thousands porn sites out there and they become more every day. Then the rest you can still look for by simply googling . By specify dns_nameservers, the nameserver that you define in resolv.conf will be useless.
dns_nameservers 22.214.171.124 126.96.36.199
The next is by use access list. This is the strong point of squid i think . The weakness of dns filter can be handled well by url_regex. It’s so easy to setup squid as a filter (but of course it’s always depend on what you want to filter). For me, i just wanna block some adult things words. So i made two files “blok.txt” for words would be blocked and “boleh.txt” for allow netral words that may contain match words that you have define before on “blok.txt”, eg: password or classic instead ass and document instead cum. Now you cannot googling for ass or cum anymore but still for password, classic, and document. Remember that you have to put http_access allow first then http_access deny.
acl boleh url_regex -i "/etc/squid/boleh.txt" acl blok url_regex -i "/etc/squid/blok.txt" http_access allow boleh http_access deny blok
And the last is by limit the use of internet by time. This is a part of access list too. This is prevents me to sleep late . I made internet cannot be accessed over 11.00 pm and can be accessed again at 05.00 am.
acl waktuefektif time SMTWHFA 05:00-23:00 http_access allow manager localhost waktuefektif http_access allow localnet waktuefektif http_access allow localhost waktuefektif
Transparent or Intercept?
The filter is ready by now. It’s only need a little configuration on browser to manually connect to the squid. But come on…Where is the filter if you can change your browser’s settings easily?Just make your squid as a transparent proxy as other people do . So, here’s how i made my squid transparent.
http_port 127.0.0.1:3128 transparent
Since 3rd version there are no transparent option anymore in “squid.conf”, it replaces by intercept. But transparent look still works
#chmod +x /etc/rc.d/rc.ip_forward
Make sure linux can forward any packet of ipv4 (It’s impossible if yours never acts as router before ). Make “/etc/rc.d/rc.ip_forward” executable to activate IP packet forwarding at boot time.
#chmod +x /etc/rc.d/rc.ip_firewall
Next redirect all http port destination to squid port. Lets the iptables take their jobs. For this, you need to make your own “/etc/rc.d/rc.firewall”. This file will be contain iptables rules. Make it executable to run iptables every boot time.
#!/bin/sh # this is /etc/rc.d/rc.firewall # which iptables IPT="/usr/sbin/iptables" # Internet Interface INET_IFACE="ppp0" $IPT -t nat -F $IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT $IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j REDIRECT --to 3128 $IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 3128 -j REDIRECT --to 3128 $IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 8080 -j REDIRECT --to 3128 echo "Flush iptables then set rules for transparent proxy ... Done."
In the 8th line , i have to tell iptables to accept all http destination coming from nobody (since slackbuild script for default user and group is nobody). You won’t miss this rule because you will cannot connect internet at all. You will find loopback error issue in your “cache.log”. Credits for Google Guy and Squid Guy “Henrik Nordstrom” here. And in the next line, yes it should be OUTPUT not PREROUTING since i will redirect packet from localhost not client(s). I also redirect the ports that are usually used for open proxy
#chmod +x /etc/rc.d/rc.squid #chmod +x /etc/rc.d/rc.local
And the last make “/etc/rc.d/rc.squid”, “/etc/rc.d/rc.local” and “/etc/rc.d/rc.local_shutdown” executable to make squid start and stop automatically. You can simply copy ”/etc/rc.d/rc.local” to ”/etc/rc.d/rc.local_shutdown”
#!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script # # Put any local startup commands in here. Also, if you have # anything that needs to be run at shutdown time you can # make an /etc/rc.d/rc.local_shutdown script and put those # commands in there. # Starting SQUID if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid start fi
This post start getting too much But this is only the best i can try to make my internet health. But, how about SEO (Search Engine Optimization) or AGC (Auto Generate Content) or things like that?