Hi,

I am using a wrt54g v2.2 router with openwrt experimental installed on it.  Everything is working fine.

I am using it in a public location where there children around and therefore would like to restrict access to safe websites only.   Is there any way to do this?

I know that Net Nanny, Cyber Sitter, etc, offer services for this, but I think that all of those require you to download their software.  That is not gonna work with a wireless environment as the user can choose to simply not download.  I need a way to restrict access either on the router, itself or on another computer off-location.   

Is here any parental control software, or gateway software for linux that would run on the wrt54g? Is there a way to use the RADIUS server to control this?

Anyone have any ideas?

Much appreciated!

What about setting up a proxy (like sqid), and then deny access to certain sites?

I believe that a proxy can even block certain words, like "F***, S**" and so on...

an internet proxy?

But wouldn't that require the user to enter the proxy information into the web browser?
Couldn't the user just choose not to enter that information, and browse whatever sites he chooses?

Then disable NAT and allow internet access via the proxy only.

ok..

this is starting to make sense now.  OK I'm going to need a bit more help on setting this up.

So I have my openwrt box right now.. I would need a computer sitting between this and the internet connection to act as the proxy right?

How do I setup the wireless router to go through the proxy?
What proxy should I use on the computer? macsat you mentioned squid.. squid allows transparent proxying right?
And then I should use something like squidguard (http://www.squidguard.org/) which would take care of the content filtering.

Ok now I need help on getting the wireless router to go through the proxy.. The proxy needs to be totally transparent (no client-side configuration needed).

Any ideas on how to do this?

Thanks a lot macsat and grimson!

you can run squid on the openwrt, and use iptables to do transparent proxy
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4

Ok.. but I need to blacklist those porn/bomb making sites too..

I have a blacklist and it's over 10mb, no way it's gonna fit on the openwrt
So I need to put squid and the blacklist on a seperate computer..

How do I setup openwrt to go through that computer?

Thanks

http://en.tldp.org/HOWTO/TransparentProxy-6.html

Yeah I think i'll do it that way..

Question is, since my blacklist is on a seperate computer, do I need to install squid on both the openwrt AND the other computer as well? (E.g squid on openwrt is set to redirect all proxy requests to the other box)

Or can I just use iptables on the openwrt to redirect all requests directly to the other box WITHOUT having to install squid?

I don't really understand iptables that well, so I'm sorry if this is a noobish question.

I appreciate all your help so far guys.. Thanks!

I tried it out on my net which looks like this:

192.168.1.0 -> wrt54gs(lan=192.168.1.1/wan=192.168.9.98) -> squid/centos4.1(lan=192.168.9.10/wan=192.168.0.10) -> firewall/router(lan=192.168.0.2/wan=dhcp) -> adsl/router -> internet

The wrt54gs is doing iptable redirection to the squid box running on the centos4.1 box (www.centos.org) with minor config changes.

Edited file://192.168.9.10/etc/squid/squid.conf

root@squid# diff /etc/squid/squid.conf /etc/squid/squid.conf.default
1860,1861c1860
< acl our_networks src 192.168.9.0/24
< http_access allow our_networks
---
> #http_access allow our_networks
2092d2090
< visible_hostname squid.dyndns.org
2180,2181c2178
< httpd_accel_host virtual
< httpd_accel_port 80
---
> # httpd_accel_port 80
2210c2207
< httpd_accel_with_proxy on
---
> # httpd_accel_with_proxy off
2230c2227
< httpd_accel_uses_host_header on
---
> # httpd_accel_uses_host_header off

Started up squid:

root@squid# service squid start
init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

Then did this to the wrt54gs box:

root@goose:/# iptables -t nat -A PREROUTING -i br0 -s ! 192.168.9.10 -p tcp --dport 80 -j DNAT --to 192.168.9.10:3128
root@goose:/# iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.1.0 -d 192.168.9.10 -j SNAT --to 192.168.1.1
root@goose:/# iptables -A FORWARD -s 192.168.1.0 -d 192.168.9.10 -i br0 -o vlan1 -p tcp --dport 3128 -j ACCEPT

Finally, did some browsing on the 192.168.1.10 to test.  I didn't try to add a wireless network into the mix, just the lan.

I've been trying to set up a transparent proxy as well, and I have the proxy server set up, but can't seem to get routing working properly.

I have everything behind the router (the proxy, and the computers I want proxied).

My network is like this:

(local lan)<--(192.168.11.0)-->[router (lan=192.168.11.1,wan=DHCP from ISP)]<--->{INTARWEB}

The proxy server is a computer in the local lan with an ip address of 192.168.11.40.

The other computers in the lan should be sent to the proxy server to get out over port 80.

From reading the site linked and the previous example, these were the iptables rules I came up with:

iptables -t nat -A PREROUTING -i br0 -s ! 192.168.11.40 -p tcp --dport 80 -j DNAT --to 192.168.11.40:8888
iptables -t nat -A POSTROUTING -o br0 -s 192.168.11.0 -d 192.168.11.40 -j SNAT --to 192.168.11.1
iptables -A FORWARD -s 192.168.11.0 -d 192.168.11.40 -i br0 -o br0 -p tcp --dport 8888 -j ACCEPT

I would imagine the chain of events should be
- Make a request from 192.168.11.2 on port 80
- Request gets to the 192.168.11.1, which sends the request to 192.168.11.40:8888
- 192.168.11.40 takes the request, does its proxy thing, and then sends a request to 192.168.11.1 on port 80
- 192.168.11.1 lets the request through and returns the data to 192.168.11.40
- 192.168.11.40 returns the data to 192.168.11.2

Does that sound about right? what are my iptables rules missing?

I recommend you set up a seperate vlan and ip range for the proxy box.. it will make the routing and nat a lot cleaner and easier