What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Google safesearch

bilboSNB

Senior Member
Is it possible to enforce google safesearch with this firmware?

It can be done with squid by rewriting google urls, but is it possible on the router without needing a separate machine?
 
Is it possible to enforce google safesearch with this firmware?

It can be done with squid by rewriting google urls, but is it possible on the router without needing a separate machine?

You would probably need a transparent proxy for this. Not sure the router's hardware would be up to handle such a task without having an impact on general performance, would be best to run the proxy on an actual computer.
 
Could a rule or something be setup so that only google requests were sent via the proxy?

Also I think I read somewhere that the router can be programmed to wake up a web server on receipt of traffic, could this be used/adapted internally to wake the proxy server on receipt of traffic?

I am using dyndns internet guide for content filtering which is good but the fact google happpily displays any image without locking every device down separately is a major bug bear for me.
 
Last edited:
Could a rule or something be setup so that only google requests were sent via the proxy?

Possibly - I never played with proxies such as squid, so I don't know how they are typically implemented at the network level.

Also I think I read somewhere that the router can be programmed to wake up a web server on receipt of traffic, could this be used/adapted internally to wake the proxy server on receipt of traffic?

Not really. When the router gets the connection request, it can't "hold it back" for many seconds to give the proxy time to wake up and be ready to process queries (which can easily take up to 10-15 secs).
 
I thought I would post to say I have finally managed to get something working. I had been using pfsense on a separate machine but it seems overkill for my small network and now I can switch it off.

I installed entware as per the wiki and then installed packages privoxy and dansguardian. The configs I have cut down to the bare minimum as all I want these packages to do is filter searches for now. So I have enabled the safesearch regex in the urlregexplist in dansuardian and commented out much of the other settings so as general performance is not effected.

In order to be able to filter google searches you need to force noossl search which I have done as below using dnsmasq:


admin@RT-N66U:/jffs/configs# nano dnsmasq.conf.add

I have done this and added content:
address=/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
address =/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
etc

Now to only send search traffic through the proxy/filter again for performance reasons I set up the below iptables script, I am also forcing bing safesearch through the filter. This script also forces the use of dyndns internet guide dns servers which I use for general webpage filtering and can be used to block other search engines. I prefer it to opendns as I do not like the opendns block page at all. The dns bit I got from the wiki, thanks.

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 204.79.197.200 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8080 -j ACCEPT


This seems to be working well for now, I’ll probably play around with it a bit more, possibly get dansguardian to do some more filtering on the kids devices.
 
I would not bother with Google SafeSearch as it is not that reliable. I often find bad stuff on there searching for harmless searches. If anything you should block Google search from kids.
 
I thought I would post to say I have finally managed to get something working. I had been using pfsense on a separate machine but it seems overkill for my small network and now I can switch it off.

I installed entware as per the wiki and then installed packages privoxy and dansguardian. The configs I have cut down to the bare minimum as all I want these packages to do is filter searches for now. So I have enabled the safesearch regex in the urlregexplist in dansuardian and commented out much of the other settings so as general performance is not effected.

In order to be able to filter google searches you need to force noossl search which I have done as below using dnsmasq:


admin@RT-N66U:/jffs/configs# nano dnsmasq.conf.add

I have done this and added content:
address=/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
address =/google.com/216.239.32.20
address =/google.co.uk/216.239.32.20
etc

Now to only send search traffic through the proxy/filter again for performance reasons I set up the below iptables script, I am also forcing bing safesearch through the filter. This script also forces the use of dyndns internet guide dns servers which I use for general webpage filtering and can be used to block other search engines. I prefer it to opendns as I do not like the opendns block page at all. The dns bit I got from the wiki, thanks.

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 204.79.197.200 --dport 80 -j DNAT --to 192.168.0.1:8080
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8080 -j ACCEPT


This seems to be working well for now, I’ll probably play around with it a bit more, possibly get dansguardian to do some more filtering on the kids devices.

@bilboSNB
Please share your dnsmasq.conf.add, privoxy and dansguardian configs!

Thanks.
 
can you not just setup dns through parental control for say norton connectsafe. It is free for home use and removes sexual stuff from your kids being able to see. Just a thought. I don't have kids but that option just seems easy since google safe search doesn't do much. If the kids are looking for some unsafe stuff getting around that would be easy for anyone above the age of 8. maybe 6 by now. And if they aren't that old then they won't even know the unsafe stuff they are seeing is unsafe lol. Just a thought.
 
Okay!
What I am doing here with google safesearch is supplemental to the filtering with opendns which I also use. Dns filtering is all well and good but can it filter google searches and images? Guess what, no it cannot. What effect to you think opendns has when your 8 year old kid searches for "nacid wuman" using google on their ipad, android, laptop. Its not pleasant.

So I am using opendns to block general images searches for all other search engines except google as this does not work for google, take a look at the opendns message boards, but forcing use of google safesearch allows me to filter them.

The main problem with filtering google searches is that they are all ssl encrypted so no proxy can filter them without MITM attack which is overkill for 8 and 9 year olds. To get around this I use googles no ssl ip and force this using dnsmasq and by forcing client to use the router for their dns.
The relevant entries from my /jffs/configs/dnsmasq.conf.add:
http://pastebin.com/quzDnk2y

Google searches are now not encypted, well accept for a select one or two domains I left out of dnsmasq config ;)

I stopped using dansguardian as it would gradually crash the router so now I only use privoxy installed on the router as this can also do the url modification without any performance hit that I can notice. I just used the default config files with some extra lines in "default.action" in the end.

Code:
{+redirect{s@$@&safe=strict@}}
# Redirected URL = http://www.google.com/bla&q=fasel
# Redirect Destination = http://www.google.com/bla&q=fasel&safe=strict
# Redirected URL = http://www.google.com/bla?q=fasel
# Redirect Destination = http://www.google.com/bla?q=fasel&safe=strict
.google./.*[&?]q=

{-redirect}
# Sticky Actions = -redirect
# URL = http://www.google.com/bla&q=fasel&safe=strict
# URL = http://www.google.com/bla?q=fasel&safe=strict
.google./.*&safe=strict
Privoxy "config" file

Code:
onfdir /opt/etc/privoxy
logdir /opt/var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
#actionsfile user.action      # User customizations
listen-address  192.168.0.1:8118
toggle  1
enable-remote-toggle  1
enable-remote-http-toggle  0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries  0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access  192.168.0.0/24
debug   1    # show each GET/POST/CONNECT request
debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*
debug   8
debug   64
#admin-address [email protected]
#proxy-info-url http://www.example.com/proxy-service.html
To make google searches go via privoxy create the file /jffs/scripts/nat-start , amend as necessary for your router ip.
Code:
#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8118 -j ACCEPT

Optionally to force client to use routers dns add this to the beginning:
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr` 
(I think this can now be done via the gui under parental control, I have not used this feature yet though also I think some of the options there mean clients bypass the dnsmasq on the router)
Be sure to make any script files you make executable by running chmod +x on them.

Cheers.
 
Okay!
What I am doing here with google safesearch is supplemental to the filtering with opendns which I also use. Dns filtering is all well and good but can it filter google searches and images? Guess what, no it cannot. What effect to you think opendns has when your 8 year old kid searches for "nacid wuman" using google on their ipad, android, laptop. Its not pleasant.

So I am using opendns to block general images searches for all other search engines except google as this does not work for google, take a look at the opendns message boards, but forcing use of google safesearch allows me to filter them.

The main problem with filtering google searches is that they are all ssl encrypted so no proxy can filter them without MITM attack which is overkill for 8 and 9 year olds. To get around this I use googles no ssl ip and force this using dnsmasq and by forcing client to use the router for their dns.
The relevant entries from my /jffs/configs/dnsmasq.conf.add:
http://pastebin.com/quzDnk2y

Google searches are now not encypted, well accept for a select one or two domains I left out of dnsmasq config ;)

I stopped using dansguardian as it would gradually crash the router so now I only use privoxy installed on the router as this can also do the url modification without any performance hit that I can notice. I just used the default config files with some extra lines in "default.action" in the end.

Code:
{+redirect{s@$@&safe=strict@}}
# Redirected URL = http://www.google.com/bla&q=fasel
# Redirect Destination = http://www.google.com/bla&q=fasel&safe=strict
# Redirected URL = http://www.google.com/bla?q=fasel
# Redirect Destination = http://www.google.com/bla?q=fasel&safe=strict
.google./.*[&?]q=

{-redirect}
# Sticky Actions = -redirect
# URL = http://www.google.com/bla&q=fasel&safe=strict
# URL = http://www.google.com/bla?q=fasel&safe=strict
.google./.*&safe=strict
Privoxy "config" file

Code:
onfdir /opt/etc/privoxy
logdir /opt/var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
#actionsfile user.action      # User customizations
listen-address  192.168.0.1:8118
toggle  1
enable-remote-toggle  1
enable-remote-http-toggle  0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries  0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access  192.168.0.0/24
debug   1    # show each GET/POST/CONNECT request
debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*
debug   8
debug   64
#admin-address [email protected]
#proxy-info-url http://www.example.com/proxy-service.html
To make google searches go via privoxy create the file /jffs/scripts/nat-start , amend as necessary for your router ip.
Code:
#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8118 -j ACCEPT

Optionally to force client to use routers dns add this to the beginning:
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr` 
(I think this can now be done via the gui under parental control, I have not used this feature yet though also I think some of the options there mean clients bypass the dnsmasq on the router)
Be sure to make any script files you make executable by running chmod +x on them.

Cheers.

Thank you!
 
Google Safe Search

I am trying to configure this forced safe search but not getting any joy and would appreciate any suggestions / assistance. I have configured dnsmasq.conf.add file as per Wiki and rebooted the router (no errors in log). In testing, it appears to works on the router, with an nslookup run there on www.google.com returning the forcesafesearch.google.com IP address.

However this is not the case for devices on my network, they still resolve to original Google domain addresses. I use OpenDNS, and have this configured on the router under parental controls. (Latest Merlin FW 378.5). This is working fine still.

Appreciate any suggestions, recommended troubleshooting steps.

Many Thanks...Rob
 
I am trying to configure this forced safe search but not getting any joy and would appreciate any suggestions / assistance. I have configured dnsmasq.conf.add file as per Wiki and rebooted the router (no errors in log). In testing, it appears to works on the router, with an nslookup run there on www.google.com returning the forcesafesearch.google.com IP address.

However this is not the case for devices on my network, they still resolve to original Google domain addresses. I use OpenDNS, and have this configured on the router under parental controls. (Latest Merlin FW 378.5). This is working fine still.

Appreciate any suggestions, recommended troubleshooting steps.

Many Thanks...Rob

If you use OpenDNS then it means you are probably bypassing your router's DNS, in which case you won't be able to use this safesearch method. For this to work, your clients must use the router's IP as their DNS server.
 
Many thanks for your response Merlin. I suspected this was the issue and that it was OpenDNS resolving the address. So the question is; is there a way to get this to work in tandem with Open DNS? Router resolves DNSmasq.conf entries, but passes all others to OpenDNS?

This is of course to try and offer greater protection to my family, given the google images search issues as described by bilboSNB. I had hoped this method would work as he endorsed the dnsmasq approach as a simpler alternative to his privoxy solution, and he was also using OpenDNS. So is it a matter of further config to get dnsmasq working in tandem wth OpenDNS, or resorting to the privoxy solution as outlined by bilboSNB?

Many Thanks for any help in trying to protect my family from the nasty things on the WWW.

....Rob
 
Many thanks for your response Merlin. I suspected this was the issue and that it was OpenDNS resolving the address. So the question is; is there a way to get this to work in tandem with Open DNS? Router resolves DNSmasq.conf entries, but passes all others to OpenDNS?

This is of course to try and offer greater protection to my family, given the google images search issues as described by bilboSNB. I had hoped this method would work as he endorsed the dnsmasq approach as a simpler alternative to his privoxy solution, and he was also using OpenDNS. So is it a matter of further config to get dnsmasq working in tandem wth OpenDNS, or resorting to the privoxy solution as outlined by bilboSNB?

Many Thanks for any help in trying to protect my family from the nasty things on the WWW.

....Rob

Set the opendns servers on your router under wan, then under parental control/dns filter set clients to use the routers dns.
 
Last edited:
Many thanks for your response Merlin. I suspected this was the issue and that it was OpenDNS resolving the address. So the question is; is there a way to get this to work in tandem with Open DNS? Router resolves DNSmasq.conf entries, but passes all others to OpenDNS?

This is of course to try and offer greater protection to my family, given the google images search issues as described by bilboSNB. I had hoped this method would work as he endorsed the dnsmasq approach as a simpler alternative to his privoxy solution, and he was also using OpenDNS. So is it a matter of further config to get dnsmasq working in tandem wth OpenDNS, or resorting to the privoxy solution as outlined by bilboSNB?

Many Thanks for any help in trying to protect my family from the nasty things on the WWW.

I haven't tested it yet, but I suspect that you might be able to use DNSFilter in conjunction with the Safesearch mod, as DNSFilter does its job after the router did its own dnsmasq processing. Just make sure your clients do use the router's IP as their DNS server.
 
You can force safe mode for youtube aswell using this method with the same ip.
address=/youtube.com/216.239.38.120
Might be worth putting in the wiki.
 
Set the opendns servers on your router under wan, then under parental control/dns filter set clients to use the routers dns.

Thanks, that did the trick. All clients on my network now forced to use safe search regardless of their local DNS settings.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top