Kimball Larsen wrote: > Howdy smart people! > > I've got a new Ubuntu Jaunty box (named "Silver") with 2 nics - > 192.168.0.4 and 192.168.0.5. My home gateway is 192.168.0.1. > > I'd like to set up the jaunty box to be the new gateway for all my in- > house traffic, such that all clients would connect like this: > > Client -> 192.168.0.5 -> Firewall/Content Filter -> 192.168.0.4 -> > 192.168.0.1 -> DSL Modem -> Internets. > > 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put > together myself. (dangerous, in my experience). > > Here is what I need some help with: > > a) Change the firewall on 192.168.0.1 to *only* allow traffic on all > ports from 192.168.0.4. Refuse to even accept connections from the > lan side from anything else. > > b) Set up silver to act as a router for the rest of the network, so > that all the clients use 0.5 as their gateway, and silver internally > routes everything from 0.5 to 0.4, which in turn uses 0.1 as its > gateway. > > c) Set up DansGuardian or somesuch in conjunction with squid or > whatever is the best for DG to allow for content filtering of all web > and IM traffic. > > > I've got a house full of kids that are getting old enough that the > sesame street and PBS sites are not keeping up with them anymore, but > I don't want to have to make huge whitelists of sites they can visit > on every computer in the house. I'd rather centralize the whole > affair as above, but I've never done the whole DansGuardian thing > before. Tips? Pointers? Someone want to do this for me? >
Hrm. This seems a little complex to me. Doing what is basically a double NAT is probably overkill for this. You can probably do what you are wanting with about 2 iptables rules and no additional nic in 'Silver.' Basically, all you need to do is add a rule to your OpenWRT box so that anything coming in on from the LAN interface, and not from 'Silver', gets redirected to 'Silver' on what ever port you have the proxy running on. Doing this is actually not too far off from how the infamous 'Upside-Down-Ternet' works. [1] (it was fun to do this to roommates for april fools day). You basically would need the second iptables command listed but with the change of the -s to be something like '-s ! 192.168.0.4' and then the --to-destination to be 192.168.0.4. You might want to add a '-i br0' (or whatever your LAN interface is) to the rule so that it only matches traffic coming from the internal LAN side of the router. The second rule would be something that drops all traffic from source addresses that aren't 192.168.0.4. IIRC, OpenWRT does some funky layouts with its table layout for iptables. So you might have to do some hunting of where this will need to go. I would recommend against doing a default deny on outgoing traffic. But I still believe that not everything should have to go through a web page. Doing the deny will block lots of things that might be perfectly fine, such as non-web based email. And if you are behind this and want to do something like ssh to a server off your network, you will have to add rules allowing it. Things just get to be a pain. Also, doing this deny with only the one redirect from above, you will also lock out https access to web sites. You can do a similar rule for https that you do for http. But, redirecting https through your proxy using this method will be a little painful. You should get a lot of certificate errors cause you are basically doing a man in the middle on the SSL connections. Hopefully that gives you some helpful info. mike [1] http://www.ex-parrot.com/pete/upside-down-ternet.html /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
