Internet Filtering for our church

I need help getting a internet filtering machine built for my church

Here is what their current setup is like:

They have 5 machines running Windows XP Pro
Small local area workgroup network
High Speed Wireless internet

Linksys Wireless access point
This unit gives out IP Address's etc and acts as a firewall
Currently the linksys box hands out IP Address's and everything works fine

I would like to use Ubuntu on a older Compaq machine that they have already
I want to use Dan’s Guardian as well

Will I have to point all the Windows Boxes to the
Ubuntu box to do the filtering or how will that work?

Thanks for your help
Please feel free to contact me at: linux@piperfamily.org
Thank you in advance for any help!

Comments

Re: Internet Filtering for our church

iptables is a firewall, you could just use iptables to block all incoming traffic not initiated from within your LAN. Simple iptables script follows:

[color=red]
#!/bin/bash
# This sample configuration is for a single host firewall configuration
# with no services supported by the firewall machine itself

# USER CONFIGURABLE SECTION

# Our internal network address space and its supporting network device
OURNET="192.168.0.1/24"
OURBCAST="192.168.0.255"
OURDEV="eth1"

# The outside address and the network device that supports it
ANYADDR="0/0"
ANYDEV="eth0"

# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall
# LOGGING=1

# END USER CONFIGURABLE SECTION

# Flush the input table rules
/sbin/iptables -F FORWARD

# We want to deny incoming access by default
/sbin/iptables -P FORWARD deny

# Drop all datagrams destined for this host received from outside
/sbin/iptables -A INPUT -i $ANYDEV -j DROP

# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them
/sbin/iptables -A FORWARD -s $OURNET -i $ANYDEV -j DROP

# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attacks
/sbin/iptables -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY

# We should accept fragments, in iptables we must do this explicitly.
/sbin/iptables -A FORWARD -f -j ACCEPT

# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
# Log barred TCP
/sbin/iptables -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
/sbin/iptables -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
/sbin/iptables -A FORWARD -m udp -p icmp -j LOG
fi

# END
[/color]

Re: Internet Filtering for our church

Curious
Can you just run a firewall and not mess with iptables etc

Re: Internet Filtering for our church

Packages for Dan's Guardian are also available in the Ubuntu Universe.

Re: Internet Filtering for our church

The Ubuntu box should have to have 2 network cards, setup like this...

Connect uplink to Internet -----> eth0 (1st ubuntu network card)
(eth0 should use DHCP to get a real IP address from your DSL or cable.)
Connect Linksys wireless router -----> eth1 (2nd ubuntu network card)
(eth1 will be static 192.168.0.1 and run dhcpd to give out a single address to the Linksys router which could be 192.168.0.2)
Setup the Linksys to be 192.168.1.1 on the subnet side, so it will serve DHCP address to the 192.168.1.xxx network.)

All the Windows XP boxes will get 192.168.1.xxx addresses from the Linksys router.

Then squid and dan's guardian can be setup to be a filter between the internet and eth0 on the Ubuntu box. You'll probably have to configure a firewall on Ubuntu as well, now that it sits as your first line of defense against the internet. The Linksys firewall is useless at this point. iptables is how to do this, and iptables may have to have some configuration to pass "allowed" traffic from eth0 to eh1 and vice versa.

P.S. You don't need SuSE per say...you can download the source code and build on any Linux platform, but they do have RPMs for all the RedHat and Fedora platforms as well.