Enforcing Google SafeSearch with dd-wrt

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
View previous topic :: View next topic  
Author Message
momo1729
DD-WRT Novice


Joined: 15 Mar 2013
Posts: 8
PostPosted: Wed Jul 31, 2013 22:00    Post subject: Enforcing Google SafeSearch with dd-wrt Reply with quote
I am looking for a way to enforce Safesearch on Google. I would want it to be implemented directly into the dd-wrt router so that so that all the devices can be protected. I need to perform two tasks.
The first is to redirect all Google quries to the non-SSL version of Google. This is because no filtering can be achieved on SSL connexions. Google says this can be done this way :
Quote:
To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com.

We will not serve SSL search results for requests that we receive on this VIP. If we receive a search request over port 443, the certificate handshake will complete successfully, but we will then redirect the user to a non-SSL search experience.


Can this operation be achieved through dd-wrt ?

The second task is to enforce strict safesearch.
Quote:
To enable SafeSearch throughout a school network, you can use a proxy server to append &safe=active directly to all search URLs. This will enable strict SafeSearch.

Google sends search queries along URL paths like google.com/search?..., google.com/images?..., google.com/s?... Schools that activate SafeSearch with a proxy should keep their filters updated to include /search, /s, and /images URLs.


Again, can this be done in dd-wrt ? Assuming, of course, that the first task is completed.


Thank you for any suggestion that could help me solve this issue.
Back to top View user's profile Send private message
Sponsor
warmweatherjoe
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 11
PostPosted: Fri Oct 25, 2013 20:39    Post subject: I need the same solution. Can someone please help? Reply with quote
I need the same solution. Can someone please help?
Thanks.
Back to top View user's profile Send private message
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Fri Oct 25, 2013 21:30    Post subject: Reply with quote
Here is a suggestion ..

1. Use OpenDNS server for DNS
2. Setup the network with the right level of OpenDNS filtering
3. configure the router via firewall rules to prevent a smart kid from bypassing the router established DNS server. If they do try to bypass, their request will be denied/rejected.

This will NOT prevent an restricted (adult) item from showing up in the 'search results', but will definitely prevent access to the restricted site.

This is a temporary solution. I agree, it is not the most efficient since filtered content can and will show up on the search results, specifically 'Images'.
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
warmweatherjoe
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 11
PostPosted: Fri Oct 25, 2013 23:41    Post subject: Reply with quote
Thanks for the quick reply. I already use Open DNS and it's great. But I want to do what I originally requested. Surely there is a way in DD-WRT to point all www.google.com requests to their no ssl URL as outlined in the link above? I just need someone to spell it out to me step by step as I don't understand the router command line syntax. But I can copy and paste Smile

Thanks.
Back to top View user's profile Send private message
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Sat Oct 26, 2013 0:22    Post subject: Reply with quote
Couple options come to mind. I am sure there is brighter grey matter that can comment and come up with a better suggestion.

1. Use DNSMasq - Wondering is you can use the --server option to redirect all things google.com to nsslsearch.google.com
2. Use a iptables (firewall) rule to have a URL redirection. It 'could' be as simple as redirecting everything destined for www.google.com to 216.239.32.20

These are just a couple shots in the dark. You could experiment or wait for an expert to stop by.
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Sat Oct 26, 2013 0:36    Post subject: Reply with quote
Here's another thread .. that might be dealing with your situation.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62222&postdays=0&postorder=asc&highlight=url+forwarding&start=0
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
warmweatherjoe
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 11
PostPosted: Sat Oct 26, 2013 14:00    Post subject: Thank you Reply with quote
ndewan - thank you for your quick responses. Could you give me a bit more detail or point me to a tutorial on syntax for the suggestions you have made? When you say "Use DNSMasq - Wondering is you can use the --server option to redirect all things google.com to nsslsearch.google.com " What would I type in and where?
Back to top View user's profile Send private message
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Sat Oct 26, 2013 17:27    Post subject: Reply with quote
Take a look at the DNSMasq section on the 'Services' page. I am thinking, and don't know for sure if you could 'enable local DNS' and setup some 'additional DNSMasq Options' to do what you are trying to do.

Follow the following link to get more information on DNSMasq.

http://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

I might not be able to help you further, but would like to hear where you land up.
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
warmweatherjoe
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 11
PostPosted: Sat Oct 26, 2013 18:19    Post subject: Reply with quote
Thanks. I found this page: http://mohan43u.wordpress.com/2012/08/06/dnsmasq-for-home-user/
and copied his cname syntax

So I have this in Additional DNSMasq Options:

no-resolv
strict-order
server=208.67.222.222
server=208.67.222.220
cname=google.com,nosslsearch.google.com
cname=google.ca,nosslsearch.google.com
cname=www.google.com,nosslsearch.google.com
cname=www.google.ca,nosslsearch.google.com

but I don't think it's working. I can still make https connections to google.

There must be a way to do this. What am I doing wrong?
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Sat Oct 26, 2013 20:16    Post subject: Reply with quote
try this>

Code:
iptables -I PREROUTING -d 193.105.163.208 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.212 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.216 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.218 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.219 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.223 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.227 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.229 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.230 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.234 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.238 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.240 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.241 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.245 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.249 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.251 -j DNAT --to-destination 216.239.32.20
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Sat Oct 26, 2013 21:05    Post subject: Reply with quote
in Additional DNSMasq Options:
Code:
address=/google.com/216.239.32.20
address=/google.ca/216.239.32.20


or save this as your firewall rule:

Code:
iptables -t nat -I OUTPUT -d www.google.com -p tcp --dport 443 -j DNAT --to-destination 216.239.32.20:80
Back to top View user's profile Send private message
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Sat Oct 26, 2013 23:05    Post subject: Reply with quote
@Mile-Lile

Can you use a DNS name in a firewall rule. I could be wrong, but I thought iptable rules worked with ipaddresses only.

Using the DNSMasq option, could the OP use DNS names for both sides ..

address=/google.com/nosslsearch.google.com

@OP's

Do post your results as you try these options.
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1557
Location: Zwolle
PostPosted: Sun Oct 27, 2013 0:46    Post subject: Reply with quote
Preventing teenagers from accessing porn is a futile attempt.
_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


Back to top View user's profile Send private message Yahoo Messenger MSN Messenger
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553
PostPosted: Sun Oct 27, 2013 3:51    Post subject: Reply with quote
Smile

Those who are hell bent on getting to it will .. by hook or by crook Smile They would just use another search engine ... Smile

But there are times where objectionable content may be presented without explicitly being asked for. You can see it in certain environments (schools and workplaces), organizations have to make a good faith effort to restrict/prevent certain content. Not even making an effort will drag the organization through mud in this litigious environment.

the OP is already using OpenDNS installed, so is protected to a large extent. I think, the concern is limiting negative content in the search results, specifically if one were to use the 'Images' or 'video' option.
_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Back to top View user's profile Send private message
warmweatherjoe
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 11
PostPosted: Wed Oct 30, 2013 14:05    Post subject: Clarification Reply with quote
Mile-Lile wrote:
try this>

Code:
iptables -I PREROUTING -d 193.105.163.208 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.212 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.216 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.218 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.219 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.223 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.227 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.229 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.230 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.234 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.238 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.240 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.241 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.245 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.249 -j DNAT --to-destination 216.239.32.20
iptables -I PREROUTING -d 193.105.163.251 -j DNAT --to-destination 216.239.32.20


Mile-lile: where do I put this code? Sorry for being so new at this. And thank you for your help!
Back to top View user's profile Send private message
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum