My organization runs about ten PCs, all of which connect to the internet through a router. I am currently looking into the best way to get logs of internet traffic (sort of a disciplining measure for employees who prefer online games or adult web galleries to doing desk research :)) Also, I would like to block certain protocols for the entire LAN (no ICQ, but Skype and Jabber should remain), and of course, I wish to block access to any sites that an employee should not be looking at during their work day.
What is the best way to go about this?
Basically, I imagine this happening through routing all internet traffic through a single machine, sort of proxy. But I do not want users to be able to connect directly to the internet by changing their browser’s settings.
Also, are there any tools to analyze the logs of such proxies, so I can sort of interactively enable or disable access to certain websites?
Have a look at the following software: squid, squidguard, dansguardian, sarg, and awstats.
Yes you’ll want your computers to go through a proxy which means interposing a proxy in the path. You might like to look at dedicated distros to do the job, like clarkconnect, endian firewall and others. Boot with the install CD, takes over the box. These distros also come with nice web interfaces so that you can monitor the proxy and view stats. Much easier than trying to set it up on a general purpose distro like OpenSUSE.
You can search for a list of firewall/proxy distros at distrowatch.com.
Thanks for such a comprehensive list. I am going to take a deeper look into squid and sarg, they seem to do just want I need. As to firewall distributions, for now that won’t be an option, at least not before we are able to get our hands on a cheap old PC to serve that purpose.
Now am important remaining thing is will I be able to prevent users from bypassing the proxy settings, ie. no direct connections to the Internet should be possible? Perhaps I need to delve into the router settings?
Have in mind that (much to my own dismay, but still out of my control) all user PCs are running the “other” OS, and even though that may change eventually, for now we are confined behind Windows…
To prevent the PCs from bypassing the proxy, you have to interpose a proxy in the network path and configure the iptables rules to block IP forwarding. So you may need the additional PC after all, or dedicate your current PC to that role.
I do plan to rely on an extra PC. Even more so now that I looked at some of the Distrowatch listings, as you suggested, and found Clark Connect, among others. That seems to be the perfect solution for all our needs at the moment, as currently we are running an in-house ftp server, mysql server, possibly even an smtp server on a Windows workstation… I know, bad choice, but hopefully all scepticists will convert soon enough so I could start doing things right.
Thank you very much for all your suggestions! They have been very informative and to the point!
Another thought: You might be able to block outgoing connections for all but your proxy (and mail/ftp, etc server) at the router. I assume you have one of those embedded ones that boot off flash memory.
If the router doesn’t offer this feature, another way to do it is to get hold of a very old PC, even something like a Pentium 200MHz with 32MB memory will be adequate, and install IPCop (a 50MB firewall distro that installs in 5 minutes) to make this a firewall behind the router. You can then add an iptable rule on this box to block outgoing connections for all machines except for the proxy. So the PCs will have to go “sideways” to proxy out to the net and and you can block and log all you want.
Our router is D-Link DI-524, I will see if it supports what you suggest, I think it’s very likely. It acts as a DHCP server at the moment.
If that path fails, I’d probably investigate into using only a single computer for all traffic management and server tasks. I hope I could set a rule to accept traffic only from localhost… That still covers your suggestion, right?
Well, you simply turn off the preinstalled rule that does outbound masquerade (NAT) so that your other inside computers can’t reach the net themselves and have to use proxies to obtain services from the net. If any proxy service is not on the firewall itself, then you have to make that an exception and allow that to NAT.
