May I Ask If These Can Be Done?

[nujinini]

I would like to have a certain amount of control over the different computers in our house since we all access the internet by a router.

Things I particularly want to do are:

1) Check what websites were visited by each computer. Sort of a history list in the router.
2) Block some websites using the same router.
3) Not to allow some computers to access the internet at a particular time.
4) And to know if somebody accessed our network without permission.

If its possible, what are the things I should be doing to get started. Should I be downloading any software or anything? Or should I be setting up a server for this?

Thanks a lot!

[Segfault]

You need a better router. An old PC with two NICs will do. Although some of what you want may be difficult to achieve. I'd avoid double NAT, too. Something like this:

Modem in bridge mode > NAT router > Network Switch > Computers and Wireless Access Point

[nujinini]

You need a better router. An old PC with two NICs will do. Although some of what you want may be difficult to achieve. I'd avoid double NAT, too. Something like this:

Modem in bridge mode > NAT router > Network Switch > Computers and Wireless Access Point

Thank you very much Segfault. But honestly I didn't understand what you were suggesting since this kind of thing is very new to me. Most of my experiences in linux have been only focused on desktop user's concern.

Anyway, I hope you don't mind me asking. When you said I need a better router? Are you trying to say that I use an old PC as a router? And also, what are NICs? And NAT

[Segfault]

YEs, old PCs make great routers and home servers. All you need is just the box, you can keep it in some locker because it does not need monitor nor keyboard.

NIC - network interface card
NAT - network address translation

Although, you can set up this box as proxy and do not offer NAT at all. Which means they cannot access internet directly. They have to make all connections thru proxy and you can configure the proxy to your liking.

Modem in bridge mode > Proxy > Network Switch > Computers and Wireless Access Point

[nujinini]

Oh.... Very interesting.

So it's going to be like a server. It's a bit clearer now. Thank you!

Can I use my laptop for that instead of an old box? I can try to set-up a server on VBox using CentOS. But.... I think I can't bring my laptop on trips anymore if I do that.

Anyways....I thought I can block some sites and have a history list using the router alone accessed through my laptop.

Thanks for your time!

EDIT: If it would not be too much of a request, can you please point me to a site where I can try to study the setting-up of a PC for this purpose. Sort of a DIY or a tutorial? Thanks again!

[MikeTbob]

Also, if you know exactly which websites you want to block and you want to block them now..you can edit a file, reboot and that website will not be accessible from that machine anymore.
How to: Use the HOSTS file to block websites in Windows? - Overclock.net - Overclocking.net
Hosts (file) - Wikipedia, the free encyclopedia
If your machines are running Windows or Mac, you can probably find some software that does much of what you want, but you most likely will have to pay for it.
Internet Filter, Parental Controls & Filter Software | Net Nanny

[Segfault]

I haven't used those little routers lately, some of them may let you impose restrictions. BTW, adding web sites to hosts file will not deny them to access those sites by IP address.

proxy setup - Google Search

[jayd512]

I haven't used those little routers lately, some of them may let you impose restrictions. BTW, adding web sites to hosts file will not deny them to access those sites by IP address.

proxy setup - Google Search

True... but if you're diligent, and really wanting it blocked, you can also block the IP.

[Segfault]

1) Check what websites were visited by each computer. Sort of a history list in the router.

I think ntop can do it, needs lots of RAM if you want the web interface though. By lots of RAM I mean more than routers usually need.

[Freston]

I would like to have a certain amount of control over the different computers in our house since we all access the internet by a router.

How much control you have over what goes in and out of your network differs greatly per router model. But as said above, the most control you get is when you build your own router/gateway from an old machine with two NIC's.

There's more ways than one to achieve this, and by no means my method is best. But it's an option.

Things I particularly want to do are:

1) Check what websites were visited by each computer. Sort of a history list in the router.

When you run your own DHCP and DNS this is easy. There's more reasons to run your own DHCP and DNS, it can be mighty convenient in other areas as well. But for this question of yours, just imagine ALL machines in the network will ask you every time they want to do something on the internet to translate URL to IP address.

It means you will know where they want to go before they get there. And since they are always asking you, you can manipulate the answers as you see fit.

2) Block some websites using the same router.

Possible, yes. Relying solely on DNS as described above is not the best idea, someone savvy enough can figure out how to get around it. So you'll possible want to block things on the firewall level as well.

3) Not to allow some computers to access the internet at a particular time.

Firewall rules, again.

4) And to know if somebody accessed our network without permission.

Always a good idea. But this is harder than you might think. Do you mean from outside in (attackers) or from the inside out (hitchhikers?). Are you interested in brute force attacks on ssh, ftp, www... I get so many attacks a day I can't monitor them all. Most attacks are random, automated scripts trying their luck on some service ports that have nothing to do with my machine. The only thing that worries me is when they find my ssh port. But that hasn't happened since I changed the port number away from the default.

Remember that you are running your gateway, so that your network is behind a NAT. If your gateway is safe, then your network is safe.

If its possible, what are the things I should be doing to get started. Should I be downloading any software or anything? Or should I be setting up a server for this?

A server. I don't think your idea of a laptop will work here, as you'll need two NIC's. Unless you want to incorporate a wireless step in the process, but I'd advice against that, both for reliability and security reasons.

-----------------


The good news is, it's not that difficult. All you really need is the machine with two NIC's, some iptable rules and I find the easiest solution for dns and dhcp to be dnsmasq (which does both).

Code:

                                                  +----------+
                                         +--------| machine1 |
    ~~~                                  |        +----------+
  ~     ~                                |
 ~        ~       +--------+        +--------+    +----------+
~ internet ~ -----| server |--------| switch |----| machine2 |
 ~        ~       +--------+        +--------+    +----------+
  ~     ~         - IPTABLES             |
    ~~~               - firewall         |        +----------+
                      - nat              +--------| machine3 |
                      - port forwarding           +----------+
                  - DNSMASQ
                      - dns
                      - dhcp

-----------------

I understand you only yesterday learned what a NIC and what a NAT is. So the above may be abacadabra to you Sorry about that. I can explain in more detail, but...

...but what's more important atm is the hardware. Are you willing to have a machine running 24/7, and do you have a machine to offer for this purpose, and do you have (or can you get) a second NIC? And you'll probably need a switch too.
Both are not mighty expensive, but you'll want to consider your options carefully.


Disclaimer: blah blah no guarantees. And I have no idea how a ready-made parental filter would tie into such a setup