iptables mangling rule

iptables mangling rule

[David Eduardo Gomez Noguera]

Hello.
In a school, they want to set up a firewall that should filter pornsites
and the like.
Anyone can give me a hand there?

The solution I thought about was setting up a proxy, and using the proxy
to filter some sites. 
However, I couldt think how to use iptables to force every connection to
with destination port 80 to go to the proxy.

What rule could do the trick? I think it has to do with changing some
headers so that the proxy gets it.

Or is there a better solution to filtering sites?


Thank you

Re: iptables mangling rule

[Joakim Ryden]

Use Squid with the transparent proxy feature and then something like 
Bannerfilter (http://www.phroggy.com/bannerfilter/) to do the filtering. The 
Squid transparent proxy (using iptables, ipchains or whatever your system 
supports) is documented in the Squid documentation. I run this configuration 
myself so let me know if you need any specific help setting it up.

--Jo

On Saturday 31 May 2003 14:53, David Eduardo Gomez Noguera wrote:
> Hello.
> In a school, they want to set up a firewall that should filter pornsites
> and the like.
> Anyone can give me a hand there?
>
> The solution I thought about was setting up a proxy, and using the proxy
> to filter some sites.
> However, I couldt think how to use iptables to force every connection to
> with destination port 80 to go to the proxy.
>
> What rule could do the trick? I think it has to do with changing some
> headers so that the proxy gets it.
>
> Or is there a better solution to filtering sites?
>
>
> Thank you
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables mangling rule

[Glynn Clements]

David Eduardo Gomez Noguera wrote:

> In a school, they want to set up a firewall that should filter pornsites
> and the like.
> Anyone can give me a hand there?
> 
> The solution I thought about was setting up a proxy, and using the proxy
> to filter some sites. 
> However, I couldt think how to use iptables to force every connection to
> with destination port 80 to go to the proxy.

You can run an HTTP server on any port, not just port 80. Servers
whose content is particularly likely to be blocked often run on ports
other than 80.

If you want filtering to be effective, you have to block all direct
connections, so that everything has to go through an application-layer
proxy.

Even then, content-based filtering is notoriously unreliable. Not only
will a substantial proportion of "undesirable" sites still be
accessible, you will also end up blocking a significant number of
legitimate sites.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: iptables mangling rule

[Michael French]

    Glen's right, it's almost impossible to filter out all of the
"undesirable" content.  Another issue to consider is the legal issue.  By
attempting to filter content, the school is accepting the responsibility of
censoring and in doing so, can be held liable for what content does get
through.  Also, orginazations such as the ACLU have fought several of these
cases in court against libraries for doing the same thing, stating that the
libraries are going against the first amendment with such censorship.  You
might be setting up the school for legal action from the other side too.
    The best thing for a school to do is to have a strict usage policy that
is clearly posted and to have the computers in publicly viewable location.
I am not a lawyer, but just wanted to insert my $0.02.  Googling the subject
might help, here is one link:
http://lrs.ed.uiuc.edu/wp/censorship/filtering/individual.htm

Michael French
----- Original Message ----- 
From: "Glynn Clements" <glynn.clements@virgin.net>
To: <davidgn@servidor.unam.mx>
Cc: <linux-admin@vger.kernel.org>
Sent: Saturday, May 31, 2003 9:05 PM
Subject: Re: iptables mangling rule


>
> David Eduardo Gomez Noguera wrote:
>
> > In a school, they want to set up a firewall that should filter pornsites
> > and the like.
> > Anyone can give me a hand there?
> >
> > The solution I thought about was setting up a proxy, and using the proxy
> > to filter some sites.
> > However, I couldt think how to use iptables to force every connection to
> > with destination port 80 to go to the proxy.
>
> You can run an HTTP server on any port, not just port 80. Servers
> whose content is particularly likely to be blocked often run on ports
> other than 80.
>
> If you want filtering to be effective, you have to block all direct
> connections, so that everything has to go through an application-layer
> proxy.
>
> Even then, content-based filtering is notoriously unreliable. Not only
> will a substantial proportion of "undesirable" sites still be
> accessible, you will also end up blocking a significant number of
> legitimate sites.
>
> -- 
> Glynn Clements <glynn.clements@virgin.net>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>