suketi's blog Rotating Header Image

The best filter is coming from your heart

Yay, finally write again…This blog should be updated one post each month but i ruined it, hahaha….Well, about a couple weeks ago i just finished my silly mocky filter. The filter is squid 3.1.10 installed on slackware laptop using slackbuild script. Yes i run squid on my laptop. So, it’s like some kinda “proxy on a single PC” or “localhost proxy”. That’s why i choose call it filter instead proxy :D

Filter

The first step is by use Nawala Nusantara as a dns_nameservers. Nawala is a free service that can be used by internet users who need a filter against negative sites. It’s like OpenDNS with Indonesian taste. You can go to Nawala here. Oh just for your info, Indonesia Goverment has ordered all Internet Service Provider to block porn sites since the 2nd week of August 2010. Most of ISPs use proxy for their home based product, so by default porn sites has been blocked by my ISP. But dns filter is not too effective since they just block sites on their blacklist. There are thousands porn sites out there and they become more every day. Then the rest you can still look for by simply googling :P. By specify dns_nameservers, the nameserver that you define in resolv.conf will be useless.

dns_nameservers 180.131.144.144 180.131.145.145

The next is by use access list. This is the strong point of squid i think :). The weakness of dns filter can be handled well by url_regex. It’s so easy to setup squid as a filter (but of course it’s always depend on what you want to filter). For me, i just wanna block some adult things words. So i made two files “blok.txt” for words would be blocked and “boleh.txt” for allow netral words that may contain match words that you have define before on “blok.txt”, eg: password or classic instead ass and document instead cum. Now you cannot googling for ass or cum anymore :P but still for password, classic, and document. Remember that you have to put http_access allow first then http_access deny.

acl boleh url_regex -i "/etc/squid/boleh.txt"
acl blok url_regex -i "/etc/squid/blok.txt"
http_access allow boleh
http_access deny blok

And the last is by limit the use of internet by time. This is a part of access list too. This is prevents me to sleep late :D. I made internet cannot be accessed over 11.00 pm and can be accessed again at 05.00 am.

acl waktuefektif time SMTWHFA 05:00-23:00
http_access allow manager localhost waktuefektif
http_access allow localnet waktuefektif
http_access allow localhost waktuefektif

Transparent or Intercept?

The filter is ready by now. It’s only need a little configuration on browser to manually connect to the squid. But come on…Where is the filter if you can change your browser’s settings easily?Just make your squid as a transparent proxy as other people do :). So, here’s how i made my squid transparent.

http_port 127.0.0.1:3128 transparent

Since 3rd version there are no transparent option anymore in “squid.conf”, it replaces by intercept. But transparent look still works :D

#chmod +x /etc/rc.d/rc.ip_forward

Make sure linux can forward any packet of ipv4 (It’s impossible if yours never acts as router before :D). Make “/etc/rc.d/rc.ip_forward” executable to activate IP packet forwarding at boot time.

#chmod +x /etc/rc.d/rc.ip_firewall

Next redirect all http port destination to squid port. Lets the iptables take their jobs. For this, you need to make your own “/etc/rc.d/rc.firewall”. This file will be contain iptables rules. Make it executable to run iptables every boot time.

#!/bin/sh
# this is /etc/rc.d/rc.firewall
# which iptables
IPT="/usr/sbin/iptables"
# Internet Interface
INET_IFACE="ppp0"
$IPT -t nat -F
$IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT
$IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j REDIRECT --to 3128
$IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 3128 -j REDIRECT --to 3128
$IPT -t nat -A OUTPUT -o $INET_IFACE -p tcp --dport 8080 -j REDIRECT --to 3128
echo "Flush iptables then set rules for transparent proxy ... Done."

In the 8th line , i have to tell iptables to accept all http destination coming from nobody (since slackbuild script for default user and group is nobody). You won’t miss this rule because you will cannot connect internet at all. You will find loopback error issue in your  “cache.log”. Credits for Google Guy and Squid Guy “Henrik Nordstrom” :mrgreen:  here. And in the next line, yes it should be OUTPUT not PREROUTING since i will redirect packet from localhost not client(s). I also redirect the ports that are usually used for open proxy

#chmod +x /etc/rc.d/rc.squid
#chmod +x /etc/rc.d/rc.local

And the last make “/etc/rc.d/rc.squid”, “/etc/rc.d/rc.local” and “/etc/rc.d/rc.local_shutdown” executable to make squid start and stop automatically.  You can simply copy “/etc/rc.d/rc.local” to “/etc/rc.d/rc.local_shutdown”

#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.
# Starting SQUID
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid start
fi

Healthy Internet

This post start getting too much :) But this is only the best i can try to make my internet health. But, how about SEO (Search Engine Optimization) or AGC (Auto Generate Content) or things like that? 8-)

PDF Download    Send article as PDF   

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>