Protect your network – Tutorial
Build a gateway server that can intelligently filter content and block access to certain websites from certain PCs
This is a project to create a gateway PC that allows you to filter internet traffic. We’re going to use CentOS as the base of our system and the web filter DansGuardian will carry out the filtering for us.
Filtering the internet has never been more topical, and running DansGuardian puts that power into the hands of the administrator. Basic filtering software blocks individual pages, but DansGuardian is adaptive and analyses the content of pages on the fly. Even better, DansGuardian carries out a sophisticated analysis of the content that uses weighted trigger phrases. This means that a single instance of a banned word might not block the page that the user is attempting to access.
The gateway PC sits between your broadband internet connection and the rest of your network and is capable of assigning connection details to client PCs using DHCP. These computers will lack a direct connection to the internet until you configure them to use our proxy setup.
Two Ethernet adaptors
Firefox web browser
Step by step
Step 01 Set up server
Our example network layout revolves around a single server PC with two network adaptors – one connects to the internet (via router or modem) and the other to the rest of the network (via switch or hub). A Wi-Fi connection to outgoing connection is acceptable if it will meet the bandwidth requirements of your network.
Step 02 Install CentOS
Download the latest CentOS DVD image from www.centos.org. This installation is fairly standard until you get to the networking page. Give the computer a meaningful hostname, such as guardian, and then click on Configure Network.
Step 03 Set up the adaptors
Click on a network adaptor, then on Edit… to edit the settings for each one in turn. Select the first adaptor and check ‘Connect automatically’. Now select Method: Manual in the IPv4 tab. Give the first adaptor an address of 10.0.2.100, a netmask of 255.255.255.0 and a gateway corresponding to the IP address of your router. Give the second adaptor an IP address of 10.0.3.100. Accept the changes, then select Desktop installation profile and wait for the installation to complete. Upon reboot, create a basic user when prompted and then login.
Step 04 Become root
For most of this tutorial, you will need to run as root. In CentOS, you can become root by typing su and then inputting the root password. For the bits that don’t need root access, consider hitting Ctrl+T in the terminal window to create a tab with normal user access.
Step 05 Install the repository
Visit the CentOS RPMForge page and follow the instructions there to download the rpmforge-release package. Install DAG’s GPG key as instructed. Now install the package with rpm -i [name of package].rpm. Carry out a yum update to update the system.
Step 06 Install DansGuardian and Squid
DansGuardian and web cache Squid work in tandem with each other. Install them both by issuing the command yum install dansguardian squid.
Step 07 Start DansGuardian and Squid
Throughout this tutorial, we’re going to use the service command to control all services. Start DansGuardian with service dansguardian start and then start Squid with service squid. Check the output of both commands for errors.
Step 08 Test the proxy
Odds are, Squid and DansGuardian are probably working acceptably well with the default settings. To test this, we’re going to select DansGuardian as the default proxy. Launch Firefox and go to Edit>Preferences>Advanced> Network. Now select the Settings… button. In the Connection Settings dialog, select ‘Manual proxy configuration’. In the HTTP Proxy box, insert 127.0.0.1 with a port of 8080.
Step 09 Test the proxy
Accept the changes you have just made and type wikipedia.com into the URL bar. If everything’s working, the page should display as normal. If you’re in a public place, choose a fairly tame site that should be blocked, such as playboy.com, for testing. You should now see DansGuardian’s default block page.
Step 10 Configure Squid
Type sudo gedit /etc/squid/squid.conf & to open the Squid configuration. Add the lines acl internal_network src 10.0.0.0/8 and http_access allow internal_network. In other words, process requests from machines with IP addresses that begin 10.x.x.x, which is our LAN. Add the line visible_hostname guardian. Type service squid restart to restart Squid.
Step 11 Add DHCPD
Type yum install dnsmasq. Machines connected to the eth1 subnet need to be assigned an IP address. Edit /etc/dnsmasq.conf. Add the lines (without comments)…
interface=eth1 #Only activate on the LAN dhcp-option=eth1,3,10.0.2.100 #Specify the gateway dhcp-range=eth,10.0.3.10,10.0.3.200,255.255 .255.0,24h # Assign IP addresses 10.0.3.10 - 10.0.3.200.
Step 12 Configure services and restart
Type chkconfig –add
Do this for the following services: dnsmasq, dansguardian, squid. Now restart the machine.
Step 13 Configure the clients
Connect a machine to your LAN and make sure DHCP is selected on the client. If working, the machines on the LAN should be assigned an IP address on startup – confirm by typing ifconfig into a terminal. In Firefox, set up the proxy as before, but add 10.0.3.100 as the IP address and check ‘Use this proxy server for all protocols’.
Step 14 14 Configure DansGuardian behaviour
Most of the files that control the filtering behaviour of DansGuardian reside within /etc/ dansguardian/lists/ and you can guess many of their functions from the title. When you make a change to these files, restart DansGuardian with service dansguardian restart.
Step 15 Add IP exceptions
/etc/dansguardian/lists/exceptioniplist contains a list of client machines that will be not be subjected to any content filtering. Keep this list a secret and then assign a static IP to machines that require unfiltered access.
Step 16 Add to banned phrases
For ease of management, bannedphraselist includes lists from within the /phraselist subdirectory. However, you can add phrases in this top-level configuration file, and the format is explained in the file itself. Usefully, it’s easy to specify combinations of words that trigger the blocker.
Step 17 URL blacklists
Sites such as urlblacklist.com contain ready-made and frequently updated blacklists. The great thing about these lists is that they are categorised. Some scenarios might require a greater sensitivity towards violent material or pornography or pirated software, for example.
Step 18 Exception phrase lists
Exception phrase lists are a quick way to unblock types of material that you do want to give access to. For example, the sites can be unblocked if they include phrases such as ‘sexual health’. See the file itself for the format, and carry out some tests using Google to see what works.
Step 19 Add virus checker
If the clients on your network use Windows, it may be good idea to add virus checking of downloaded files. Type yum install clamd. Now open /etc/dansguardian/ dansguardian.conf in an editor and search for the line that begins with ‘contentscanner’ and that refers to ClamAV and uncomment it. Start the ClamAV daemon with service dansguardian start and then restart DansGuardian.
Step 20 Add DNS caching
If you are processing requests from a lot of machines, try adding DNS caching to improve performance. You already have a working DNS cache: Dnsmsaq, which we installed to provide DHCP. To activate it, edit /etc/resolv.conf and make sure that ‘nameserver 127.0.0.1’ is the first line and that the other nameserver lines refer to a working DNS server. Reboot the machine. Type dig google.com @localhost to test that local DNS caching is working.