Is it possible to enforce google safesearch with this firmware?
It can be done with squid by rewriting google urls, but is it possible on the router without needing a separate machine?
Could a rule or something be setup so that only google requests were sent via the proxy?
Also I think I read somewhere that the router can be programmed to wake up a web server on receipt of traffic, could this be used/adapted internally to wake the proxy server on receipt of traffic?
I thought I would post to say I have finally managed to get something working. I had been using pfsense on a separate machine but it seems overkill for my small network and now I can switch it off.
I installed entware as per the wiki and then installed packages privoxy and dansguardian. The configs I have cut down to the bare minimum as all I want these packages to do is filter searches for now. So I have enabled the safesearch regex in the urlregexplist in dansuardian and commented out much of the other settings so as general performance is not effected.
In order to be able to filter google searches you need to force noossl search which I have done as below using dnsmasq:
admin@RT-N66U:/jffs/configs# nano dnsmasq.conf.add
I have done this and added content:
address=/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
address =/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
etc
Now to only send search traffic through the proxy/filter again for performance reasons I set up the below iptables script, I am also forcing bing safesearch through the filter. This script also forces the use of dyndns internet guide dns servers which I use for general webpage filtering and can be used to block other search engines. I prefer it to opendns as I do not like the opendns block page at all. The dns bit I got from the wiki, thanks.
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 204.79.197.200 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8080 -j ACCEPT
This seems to be working well for now, I’ll probably play around with it a bit more, possibly get dansguardian to do some more filtering on the kids devices.
{+redirect{s@$@&safe=strict@}}
# Redirected URL = http://www.google.com/bla&q=fasel
# Redirect Destination = http://www.google.com/bla&q=fasel&safe=strict
# Redirected URL = http://www.google.com/bla?q=fasel
# Redirect Destination = http://www.google.com/bla?q=fasel&safe=strict
.google./.*[&?]q=
{-redirect}
# Sticky Actions = -redirect
# URL = http://www.google.com/bla&q=fasel&safe=strict
# URL = http://www.google.com/bla?q=fasel&safe=strict
.google./.*&safe=strict
onfdir /opt/etc/privoxy
logdir /opt/var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
#actionsfile user.action # User customizations
listen-address 192.168.0.1:8118
toggle 1
enable-remote-toggle 1
enable-remote-http-toggle 0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access 192.168.0.0/24
debug 1 # show each GET/POST/CONNECT request
debug 4096 # Startup banner and warnings
debug 8192 # Errors - *we highly recommended enabling this*
debug 8
debug 64
#admin-address [email protected]
#proxy-info-url http://www.example.com/proxy-service.html
#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8118 -j ACCEPT
Optionally to force client to use routers dns add this to the beginning:
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
(I think this can now be done via the gui under parental control, I have not used this feature yet though also I think some of the options there mean clients bypass the dnsmasq on the router)
Okay!
What I am doing here with google safesearch is supplemental to the filtering with opendns which I also use. Dns filtering is all well and good but can it filter google searches and images? Guess what, no it cannot. What effect to you think opendns has when your 8 year old kid searches for "nacid wuman" using google on their ipad, android, laptop. Its not pleasant.
So I am using opendns to block general images searches for all other search engines except google as this does not work for google, take a look at the opendns message boards, but forcing use of google safesearch allows me to filter them.
The main problem with filtering google searches is that they are all ssl encrypted so no proxy can filter them without MITM attack which is overkill for 8 and 9 year olds. To get around this I use googles no ssl ip and force this using dnsmasq and by forcing client to use the router for their dns.
The relevant entries from my /jffs/configs/dnsmasq.conf.add:
http://pastebin.com/quzDnk2y
Google searches are now not encypted, well accept for a select one or two domains I left out of dnsmasq config
I stopped using dansguardian as it would gradually crash the router so now I only use privoxy installed on the router as this can also do the url modification without any performance hit that I can notice. I just used the default config files with some extra lines in "default.action" in the end.
Privoxy "config" fileCode:{+redirect{s@$@&safe=strict@}} # Redirected URL = http://www.google.com/bla&q=fasel # Redirect Destination = http://www.google.com/bla&q=fasel&safe=strict # Redirected URL = http://www.google.com/bla?q=fasel # Redirect Destination = http://www.google.com/bla?q=fasel&safe=strict .google./.*[&?]q= {-redirect} # Sticky Actions = -redirect # URL = http://www.google.com/bla&q=fasel&safe=strict # URL = http://www.google.com/bla?q=fasel&safe=strict .google./.*&safe=strict
To make google searches go via privoxy create the file /jffs/scripts/nat-start , amend as necessary for your router ip.Code:onfdir /opt/etc/privoxy logdir /opt/var/log filterfile default.filter logfile privoxy actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file #actionsfile user.action # User customizations listen-address 192.168.0.1:8118 toggle 1 enable-remote-toggle 1 enable-remote-http-toggle 0 enable-edit-actions 1 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 1 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 300 socket-timeout 300 permit-access 192.168.0.0/24 debug 1 # show each GET/POST/CONNECT request debug 4096 # Startup banner and warnings debug 8192 # Errors - *we highly recommended enabling this* debug 8 debug 64 #admin-address [email protected] #proxy-info-url http://www.example.com/proxy-service.html
Be sure to make any script files you make executable by running chmod +x on them.Code:#!/bin/sh iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8118 iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr` iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8118 -j ACCEPT Optionally to force client to use routers dns add this to the beginning: iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr` (I think this can now be done via the gui under parental control, I have not used this feature yet though also I think some of the options there mean clients bypass the dnsmasq on the router)
Cheers.
I am trying to configure this forced safe search but not getting any joy and would appreciate any suggestions / assistance. I have configured dnsmasq.conf.add file as per Wiki and rebooted the router (no errors in log). In testing, it appears to works on the router, with an nslookup run there on www.google.com returning the forcesafesearch.google.com IP address.
However this is not the case for devices on my network, they still resolve to original Google domain addresses. I use OpenDNS, and have this configured on the router under parental controls. (Latest Merlin FW 378.5). This is working fine still.
Appreciate any suggestions, recommended troubleshooting steps.
Many Thanks...Rob
Many thanks for your response Merlin. I suspected this was the issue and that it was OpenDNS resolving the address. So the question is; is there a way to get this to work in tandem with Open DNS? Router resolves DNSmasq.conf entries, but passes all others to OpenDNS?
This is of course to try and offer greater protection to my family, given the google images search issues as described by bilboSNB. I had hoped this method would work as he endorsed the dnsmasq approach as a simpler alternative to his privoxy solution, and he was also using OpenDNS. So is it a matter of further config to get dnsmasq working in tandem wth OpenDNS, or resorting to the privoxy solution as outlined by bilboSNB?
Many Thanks for any help in trying to protect my family from the nasty things on the WWW.
....Rob
Many thanks for your response Merlin. I suspected this was the issue and that it was OpenDNS resolving the address. So the question is; is there a way to get this to work in tandem with Open DNS? Router resolves DNSmasq.conf entries, but passes all others to OpenDNS?
This is of course to try and offer greater protection to my family, given the google images search issues as described by bilboSNB. I had hoped this method would work as he endorsed the dnsmasq approach as a simpler alternative to his privoxy solution, and he was also using OpenDNS. So is it a matter of further config to get dnsmasq working in tandem wth OpenDNS, or resorting to the privoxy solution as outlined by bilboSNB?
Many Thanks for any help in trying to protect my family from the nasty things on the WWW.
Set the opendns servers on your router under wan, then under parental control/dns filter set clients to use the routers dns.
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
![]() |
Google TV DNS problem | Asuswrt-Merlin | 1 | |
|
Hardcoded Google DNS IPTABLES rule | Asuswrt-Merlin | 6 | |
F | RT-AX58U: laggy reponse phone to Chromecast with Google TV 4k | Asuswrt-Merlin | 3 | |
![]() |
Google mail vpn blocking | Asuswrt-Merlin | 7 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!