Filtering home Internet access with Squid

Client Maintenance

The next step is to modify the ACL

(Access Control List) settings in squid.conf. To assign different filter rules to different users – for example, stricter rules for children – you first need to tell Squid what criteria to apply to incoming requests.

Listing 2 adds client IP addresses for Mom (Marion), Dad (Archie), a son (Simon), and a daughter (Tanja). At the same time, the listing tells Squid to accept requests from the local network.

Listing 2

ACL Settings

# Individual client definitions
acl marion src 192.168.1.1/32
acl archie src 192.168.1.2/32
acl simon src 192.168.1.3/32
acl tanja src 192.168.1.4/32
01 # Allow Squid to accept requests from the local network
02 acl localhost src 192.168.1.0/24
03 acl to_localhost dst 192.168.1.0/24

Time-Based and Manual Blocks

In my experience, it is often hard to keep the kids off the computer, especially if they have Internet access. Squid lets you block online access at certain times of the day. Listing 3 gives an example that defines a time slot for older kids between 1:00pm and 9:00pm Monday through Friday, while restricting access for the younger kids to 1:00pm and 7:00pm.

Listing 3

Time Slots

acl big_kids time MTWHF 13:00-21:00
acl small_kids time MTWHF 13:00-19:00
http_access deny simon ! big_kids
http_access deny tanja ! small_kids

Because Simon is older, he is allowed to surf later than his little sister, Tanja; this is set in the http_access lines, which are read as follows: "The client called Simon is not allowed to surf the Internet, except at the times defined in the ACL big_kids." Both kids are allowed unrestricted Internet access on weekends, and no restrictions apply to the parents.

Sometimes it makes sense to completely block Internet access for a client. Just add the contents of Listing 4 to the configuration file. The /usr/share/squid/blocked_clients file itself only contains the IP addresses and netmasks of the clients you want to block (Listing 5).

Listing 4

Blocking Access

acl blocked_clients src "/usr/share/squid/blocked_clients"
http_access deny blocked_clients

Listing 5

blocked_clients

192.168.1.3/32
192.168.1.4/32

A simple shell command is all it takes to add clients to the list. The command

echo 192.168.1.3/32 >> &&
/usr/share/squid/blocked_clients &&
/etc/init.d/squid reload

puts Simon on the block list. Typing

sed /^192.168.1.3\\/32$/d -i &&
/usr/share/squid/blocked_clients &&
/etc/init.d/squid reload

removes the entry.

Ads and Cookies

In addition to simple website blocking, Squid offers more advanced features: In combination with the free Privoxy [3] tool, it will filter banners and similar elements while you surf the web. To enable Privoxy, just add the lines from Listing 6.

Listing 6

Enable Privoxy

01 # adding Privoxy as a filter
02 cache_peer 127.0.0.1 parent 8118 7 no-query
03 never_direct allow all
04
05 # Do not route FTP requests via Privoxy
06 acl ftp proto FTP
07 always_direct allow ftp

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons – Squid Filtering

    Kurt describes how to use Squid's ACLs and ICAP when you want to limit Internet access, for whatever reason.

  • SafeSquid

    If you are looking for a secure option for home surfing and want to protect your children against questionable web content, you need a filtering proxy. SafeSquid is a commercial proxy tool, but it comes with a free version for private users.

  • Squid Bridge

    Caching proxies remember web pages and serve them up locally, saving both money and time. The most intelligent members of this family also remove dangerous content and provide transparent bridging.

  • Squid proxy server

    A proxy server provides safer and more efficient surfing. Although commercial proxy solutions are available, all you really need is Linux and an old PC in the attic.

  • Filter Proxy for AD

    You might want to reap the benefits of active directory’s single sign-on for your virus scanning and content filtering. If you also use Squid to handle user access to the internet, you have a front-row seat for “when worlds collide.”

comments powered by Disqus

Direct Download

Read full article as PDF:

052-054_squid.pdf  (294.58 kB)

News