OpenWrt Forum Archive

Topic: [Howto] OpenWrt with transparent, content-filtering proxy

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
ahz2
3 Dec 2006, 18:26

Here's my notes on setting up a Linksys WRT54GS version 1 with OpenWRT White Russian RC6 for our church's cafe.  The main features are (a) transparent web content filtering and (b) firewall to prevent access to local network.  (The Linksys WAN plugged into the local network.)  I've only been trying it out one day. 

# Flash firmware with new image http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin

telnet 192.168.2.1

passwd
# setting password disables telnet and enables ssh

# simple proxy (required by dansguardian)
ipkg install http://openwrt.alphacore.net/tinyproxy_1.6.3_mipsel.ipk
tinyproxy -h # verify transparent support is compiled in
vim /etc/tinyproxy/tinyproxy.conf
#uncomment “Allow 192.168.1.0/25”
“LogLevel Warning”
“User root
Group root”
"StartServers 5"
/etc/init.d/S51tinyproxy start

#setup Dansguardian content filtering
ipkg install zlib libgcc # for dansguardian
ipkg install http://openwrt.alphacore.net/experimental/libstdc++_6.0.3-2_mipsel.ipk # for dansguardian
ipkg install http://openwrt.alphacore.net/experimental/dansguardian_2.8.0.4-4_mipsel.ipk
# Dansguardian eats about 55% of the memory (RSS=16M)
vim /etc/dansguardian/dansguardian.conf
"proxyport = 8888
loglevel = 0
loglocation = '/var/log/dansguardian/access.log'
usernameidmethodproxyauth = off
maxchildren=50
minchildren=4
minsparechildren = 2
preforkchildren = 3"
vim /etc/dansguardian/dansguardianf1.conf
"naughtynesslimit = 220"

vim /etc/dansguardian/languages/ukenglish/template.html
#remove some dansguardian weighted lists
cp /etc/init.d/tinyproxy /etc/init.d/S52dansguardian
vim /etc/init.d/S52dansguardian
"mkdir /var/log/dansguardian
chown nobody /var/log/dansguardian/
mkdir /tmp/dansguardian
chown nobody /tmp/dansguardian/"
/etc/init.d/S52dansguardian start

# setup non-volatile ram
nvram set wl0_ssid=its_up_to_you
nvram set wl0_wep=disabled
nvram set wl0_akm=open
nvram commit

# sync time
ipkg install ntpclient
# follow wiki instructions on ntpclient

# setup time zone
echo "MST7MDT" > /etc/TZ

# test Internet access without proxy
# test Internet access using non-transparent proxy
# test that proxies come up after rebooting

# setup firewall
ipkg install iptables-extra
vim /etc/firewall.user
insmod ipt_REDIRECT
# transparently route traffic through content-filtering web proxy
iptables -t nat -A prerouting_rule -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 
#accept a limited rate of e-mail: 2 connections per minute (untested!)
iptables -A forwarding_rule -p tcp --dport 25 --syn -m limit --limit 2/min -j ACCEPT
# reject sending e-mail because of spam zombies
#iptables -A forwarding_rule -i br0 -p tcp --dport 25 -j REJECT 
# (local network access)
iptables -A forwarding_rule -i br0 -d 192.168.1.0/24 -j REJECT 
iptables -A forwarding_rule -i br0 -d 192.168.0.0/24 -j REJECT 
# Windows file sharing across a public network?  Bad idea.
iptables -A forwarding_rule -i br0 -p tcp --dport  137 -j REJECT 
iptables -A forwarding_rule -i br0 -p tcp --dport  138 -j REJECT 
iptables -A forwarding_rule -i br0 -p tcp --dport  139 -j REJECT 
iptables -A forwarding_rule -i br0 -p udp --dport  137 -j REJECT 
iptables -A forwarding_rule -i br0 -p udp --dport  138 -j REJECT 
iptables -A forwarding_rule -i br0 -p udp --dport  139 -j REJECT
Post #2
nwcon
5 Dec 2006, 02:04

This is good.  I've just started working on building a dansguardian package using the OpenWRT SDK.

Would you mind sharing your notes on the build process?  I'm most interested in the Makefile you used to build dansguardian under the OpenWRT SDK.

Thanks.

Post #3
ahz2
5 Dec 2006, 05:21

nwcon,

Cross compiling is a pain, so I used Florian's package from the address above.   He is a member of this forum, so maybe he will chime in.

His generally package works nicely.  However, it would be nice to at least include the /etc/init.d/ startup script.  Also, if I were compiling it, I would think about hacking out unnecessary parts of the code to reduce DG's big memory usage.


Andrew

Post #4
nwcon
5 Dec 2006, 16:34

Actually the cross compile went surprisingly easy...if done manually.  I'm just having some minor issues with the Makefile and where things are being put in the build directory.  If I run the configure and make processes by hand using all the necessary flags for cross compiling, it works 'out of the box'.  I'm using dg 2.8.0.6, and I started with the example Makefile (in the SDK Howto) for a program with only a configure script.

I agree, there is a lot of extra baggage to be removed from dg for this environment.

Anyway, once I have the process down, I'll be glad to post my notes.

Post #5
fbcitdept
16 Jan 2007, 05:37

Hi nwcon,
  How did your port of DG go? We are running 2.9.x in a production environment with excellent results. I would like to run it on a linksys with openwrt.

Thanks,
Chris

Post #6
nwcon
16 Jan 2007, 15:21

So far, I've been able to build dansguardian, but I haven't yet had a chance to test it.

Using the OpenWRT SDK, you can build it for testing.  Following the SDK howto, here are my files for dansguardian

Config.in
-------------

config BR2_PACKAGE_DANSGUARDIAN
        prompt "Dansguarian true web content filter"
        tristate
        default m if CONFIG_DEVEL
        help
                Dansguardian web content filter.  You'll need squid or similar web proxy server
                http://www.dansguardian.org


dansguardian.control file for ipkg
-------------------------------

Package: dansguardian
Priority: optional
Section: misc
Description: Danguardian true web content filter



Makefile
-------------

include $(TOPDIR)/rules.mk
MAKE=/usr/bin/make
TAR_OPTIONS=-xf
PKG_NAME:=dansguardian
PKG_VERSION:=2.8.0.6
PKG_RELEASE:=1
PKG_MD5SUM:=aa619607198f37a528dbb65e4a503beb
PKG_SOURCE_URL:=http://usmirror.dansguardian.org/downloads/2/Stable
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).source.tar.gz
PKG_CAT:=zcat
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
include $(TOPDIR)/package/rules.mk
$(eval $(call PKG_template,DANSGUARDIAN,$(PKG_NAME),$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(PKG_BUILD_DIR)/.configured: $(PKG_BUILD_DIR)/.prepared
        (cd $(PKG_BUILD_DIR); \
                $(TARGET_CONFIGURE_OPTS) \
                CFLAGS="$(TARGET_CFLAGS)" \
                CPPFLAGS="-I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include" \
                LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib" \
                ./configure \
                        --installprefix=$(PKG_INSTALL_DIR) \
                        --sysvdir=/etc/init.d/ \
                        --cgidir=/www/cgi-bin/ \
                        --runas_usr=$(id -u) \
                        --runas_grp=$(id -g) \
        );
        ## Add software specific configurable options above
        ## See : ./configure --help
        touch $@
$(PKG_BUILD_DIR)/.built:
        rm -rf $(PKG_INSTALL_DIR)
        mkdir -p $(PKG_INSTALL_DIR)
        $(MAKE) -C $(PKG_BUILD_DIR) \
        $(TARGET_CONFIGURE_OPTS) \
        prefix="$(PKG_INSTALL_DIR)"
        make -C $(PKG_BUILD_DIR) install
        touch $@
$(IPKG_DANSGUARDIAN):
        install -d -m0755 $(IDIR_DANSGUARDIAN)
        $(CP) $(PKG_INSTALL_DIR) $(IDIR_DANSGUARDIAN)
        $(RSTRIP) $(IDIR_DANSGUARDIAN)
        $(IPKG_BUILD) $(IDIR_DANSGUARDIAN) $(PACKAGE_DIR)
mostlyclean:
        make -C $(PKG_BUILD_DIR) clean
        rm $(PKG_BUILD_DIR)/.built

Post #7
Aperion
24 Jan 2007, 07:57

I just wanted to pop my head in and say that this is something I'm interested in as well. In fact this is the entire reason why I got a linksys WRT54GL, and looked into openWRT. Glad to know there are others out there that are looking into the same issue, hopefully I'll be able to contribute in the future. Anyways, just a heads up for now that someone else is interested in dansguardian+openwrt

Post #8
m4rc0
24 Jan 2007, 09:27

Yes I'm also interested. Is it possible the package gets posted somewhere?

THANKS

nwcon wrote:

This is good.  I've just started working on building a dansguardian package using the OpenWRT SDK.

Would you mind sharing your notes on the build process?  I'm most interested in the Makefile you used to build dansguardian under the OpenWRT SDK.

Thanks.

Post #10
m4rc0
24 Jan 2007, 21:16
lschweiss wrote:
m4rc0 wrote:

Yes I'm also interested. Is it possible the package gets posted somewhere?

I posted links to them on another thread:

http://forum.openwrt.org/viewtopic.php?id=9092

Great !! Thanks

Post #11
nwcon
25 Jan 2007, 02:47

I have a package as well, but you can easily build it yourself.  Following the HowTo for the OpenWRT SDK (http://wiki.openwrt.org/BuildingPackagesHowTo), just use my previously posted Makefile and build your own.  Specifically, do the following:

1. Download the latest SDK http://downloads.openwrt.org/whiterussi … -1.tar.bz2  (Obviously, I'm on an i686 platform, so download the appropriate SDK for yours).
2. Unpack which creates the directory OpenWrt-SDK-Linux-i686-1.  cd to this directory.
3. Create the required directories and files:
   ./package/dansguardian/ipkg/
   ./package/dansguardian/patches/
   ./package/dansguardian/Config.in
   ./package/dansguardian/Makefile
   ./package/dansguardian/ipkg/dansguardian.control

4. My ./package/dansguardian/Config.in contains:

    config BR2_PACKAGE_DANSGUARDIAN
    prompt "Dansguarian true web content filter"
    tristate
    default m if CONFIG_DEVEL
    help
            Dansguardian web content filter.  You'll need squid or similar web proxy server
            http://www.dansguardian.org

5. My ./packages/dansguardian/Makefiles was posted previously

6. My ./packages/dansguardian/ipkg/dansguardian.control consists of:

    Package: dansguardian
    Priority: optional
    Section: misc
    Description: Danguardian true web content filter

7. Build dansguardian pkg with 'make all'


After build is complete, you _should_ end up with the dansguardian package in ./bin/packages/

Again, I haven't tested dansguardian at all yet with this build procedure, so it may not work.  So far, all I know is the package builds successfully.

Hope this helps.

Post #12
Aperion
11 Mar 2007, 08:39

Hey I've followed this howto (int he first post) as best I can, but I get the following error when I try to start dansguardian:

Error opening filter list:/etc/dansguardian/dansguardianf1.conf
Error reading filter group conf file(s).
Error parsing the dansguardian.conf file or other DansGuardian configuration files

Any suggestions? Also, I could use a little bit of clariffication on how I'm supposed to modify the /etc/init.d/S52dansguardian file other than changing $NAME value.

Thanks.

Post #13
nwcon
18 May 2007, 14:59

I've been asked a couple of times how I got dansguardian running.  The short answer...I haven't.

I've been able to successfully build dansguardian using the OpenWRT SDK, but recent attempts to install and run it failed miserably.

First, on a fresh openwrt install, my package  uses /ipkg-install as root  i.e. all dansguardian is installed to /ipkg-install.  However, this should be a simple fix in the Makefile.

Second, when trying to run the dansguardian binary, /usr/sbin/dansguardian, I get the following errors:

./dansguardian: ./dansguardian: 1: ?ELF??44: not found
./dansguardian: ./dansguardian: 2: ?: not found
./dansguardian: ./dansguardian: 3: Syntax error: word unexpected (expecting ")")


Appears maybe three issues here, but I'm totally guessing right now.  Possibley 1). a locale issue 2). a elf issue and 3). a busybox shell compatibility issue.

I don't have a lot of time to spend on this right now, so if anyone has any ideas to get me back on track, I'd really appreciate it.

The discussion might have continued from here.