Dansguardian Internet Content Filtering

Description

DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.

Proxy Choice

With DansGuardian you can use what ever proxy you want, the most common being Squid and Privoxy. Bellow are two ways to install DansGuardian with Squid or Privoxy.

Squid

Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.

Privoxy

Privoxy is a non-caching web proxy with filtering capabilities for enhancing privacy, manipulating cookies and modifying web page data and HTTP headers before the page is rendered by the browser. Privoxy is a "privacy enhancing proxy", filtering Web pages and removing advertisements. Privoxy can be customized by users, for both stand-alone systems and multi-user networks. Privoxy can be chained to other proxies and is frequently used in combination with Squid and can be used to bypass Internet censorship. It is also bundled with Tor to increase privacy.

Installation

Squid

Install clamav-freshclam, iptables, DasGuardian and squid:

sudo apt-get install clamav-freshclam iptables dansguardian squid

Privoxy

Install clamav-freshclam, iptables, privoxy and DasGuardian:

sudo apt-get -y install clamav-freshclam iptables privoxy dansguardian 

Configure Proxy

Squid

In /etc/squid/squid.conf make "http_port" transparent:

sudo sed -i 's/http_port 3128/http_port 3128 transparent/g' /etc/squid3/squid.conf

In /etc/squid/squid.conf add always_direct allow all:

sudo sed -i 's/#                always_direct allow local-servers/always_direct allow all/g' /etc/squid3/squid.conf

Start Squid:

sudo squid start

Privoxy

In /etc/privoxy/config change localhost:8118 to 127.0.0.1:8118. This is the same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections:

sudo sed -i 's/listen-address localhost:8118/listen-address 127.0.0.1:8118/g' /etc/privoxy/config

Restart privoxy:

sudo service privoxy force-reload

Configure DansGuardian

You will likely want to customize some filtering options. In particular, you may want to comment (#) or uncomment options in these files:

  • /etc/dansguardian/lists/bannedextensionlist
  • /etc/dansguardian/lists/bannedsitelist
  • /etc/dansguardian/lists/bannedurllist

Squid

In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration":

sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf

Set filterip equal to 127.0.0.1:

sed -i 's/filterip =/filterip = 127.0.0.1/g' /etc/dansguardian/dansguardian.conf

Set daemonuser equal to 'proxy':

sed -i 's/#daemonuser = 'dansguardian'/daemonuser = 'proxy'/g' /etc/dansguardian/dansguardian.conf

Set daemongroup equal to 'proxy':

sed -i 's/#daemongroup = 'dansguardian'/daemongroup = 'proxy'/g' /etc/dansguardian/dansguardian.conf

Set accessdeniedaddress equal to 'http://localhost/cgi-bin/dansguardian.pl':

sed -i 's/accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'/accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'/g' /etc/dansguardian/dansguardian.conf

Change the Dansguardian log folder to the correct ownership and start Dansguardian:

sudo chown -R proxy:proxy /var/log/dansguardian
sudo /etc/init.d/dansguardian start

Privoxy

In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration"

sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf

By default dansguardian uses squid, change the port to privoxy in /etc/dansguardian/dansguardian.conf

sudo sed -i 's/proxyport = 3128/proxyport = 8118/g' /etc/dansguardian/dansguardian.conf

start dandguardian

sudo service dansguardian start

Configure iptables

If this is a shared computer parents and children should have unique login accounts. Other wise you can set it up to block everything for everyone.

Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118 Children can surf the web + adblock + dansguardian by pointing firefox to port 8080

Squid

Allows root (needed for apt-get …)

sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT

Allows privoxy to connect to ports 80 and 443

sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT

Blocks everyone but privoxy

sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP

Allows dansguardian to connect to privoxy.

sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT

Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.

sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT

Blocks all other connections to privoxy.

sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -j DROP

Privoxy

Allows root (needed for apt-get …)

sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT

Allows privoxy to connect to ports 80 and 443

sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT

Blocks everyone but privoxy

sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP

Allows dansguardian to connect to privoxy.

sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT

Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.

sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT

Blocks all other connections to privoxy.

sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP

Configure your iptables settings to be active at boot

If UFW is not installed

Save your settings.

sudo bash -c "iptables-save > /etc/dansguardian/iptables.save"

Delete line with "exit 0" in /etc/rc.local

sudo sed -i "/exit 0/d" /etc/rc.local

Add lines to end of rc.local

echo "iptables-restore /etc/dansguardian/iptables.save

exit 0
" >> /etc/rc.local

If UFW is installed

In /etc/ufw/before.rules comments out -A ufw-before-output -o lo -j ACCEPT

sudo sed -i 's/-A ufw-before-output -o lo -j ACCEPT/#-A ufw-before-output -o lo -j ACCEPT/g' /etc/ufw/before.rules

In /etc/ufw/before.rules delete lines # don't delete the 'COMMIT' line or these rules won't be processed

sudo sed -i "/# don't delete the 'COMMIT' line or these rules won't be processed/d" /etc/ufw/before.rules

In /etc/ufw/before.rules delete lines COMMIT

sudo sed -i "/COMMIT/d" /etc/ufw/before.rules

Append lines to /etc/ufw/before.rules. Just like before you must change 'USER' to your login Name. If you get "bash: /etc/ufw/before.rules: Permission denied" manually add everything between the " " to /etc/ufw/before.rules:

Squid

sudo echo "# Rules for Dansguardian

-A ufw-before-output -m owner --uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -j DROP
-A ufw-before-output -o lo -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
" >> /etc/ufw/before.rules

Privoxy

sudo echo "# Rules for Dansguardian

-A ufw-before-output -m owner --uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
-A ufw-before-output -o lo -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
" >> /etc/ufw/before.rules

CONFIGURE SYSTEM PROXY

Set up system proxy settings.

gsettings set org.gnome.system.proxy mode 'manual' 
gsettings set org.gnome.system.proxy.http host 'localhost'
gsettings set org.gnome.system.proxy.http port 8080

Finally

Download blacklists from a site such as http://urlblacklist.com/?sec=download

tar -xzf bigblacklist.tar.gz
sudo mv blacklists /etc/dansguardian/blacklists
sudo chown -R root:root /etc/dansguardian/blacklists

To allow Ubuntu updates to pass through the filter, add the following to the end of /etc/dansguardian/lists/exceptionextensionlist:

# Archives & packages
.bz2
.gz
.tbz2
.tar
.deb
.gpg

DansGuardian (last edited 2014-09-21 21:37:28 by android2772)