|
Duplicate Article |
|
Needs Updating |
Dansguardian Internet Content Filtering
Description
DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.
DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.
Proxy Choice
With DansGuardian you can use what ever proxy you want, the most common being Squid and Privoxy. Bellow are two ways to install DansGuardian with Squid or Privoxy.
Squid
Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.
Privoxy
Privoxy is a non-caching web proxy with filtering capabilities for enhancing privacy, manipulating cookies and modifying web page data and HTTP headers before the page is rendered by the browser. Privoxy is a "privacy enhancing proxy", filtering Web pages and removing advertisements. Privoxy can be customized by users, for both stand-alone systems and multi-user networks. Privoxy can be chained to other proxies and is frequently used in combination with Squid and can be used to bypass Internet censorship. It is also bundled with Tor to increase privacy.
Installation
Squid
Install clamav-freshclam, iptables, DansGuardian and squid:
sudo apt-get install clamav-freshclam iptables dansguardian squid
Privoxy
Install clamav-freshclam, iptables, privoxy and DansGuardian:
sudo apt-get -y install clamav-freshclam iptables privoxy dansguardian
Configure Proxy
Squid
In /etc/squid/squid.conf make "http_port" transparent:
sudo sed -i 's/http_port 3128/http_port 3128 transparent/g' /etc/squid3/squid.conf
In /etc/squid/squid.conf add always_direct allow all:
sudo sed -i 's/# always_direct allow local-servers/always_direct allow all/g' /etc/squid3/squid.conf
Start Squid:
sudo squid start
Privoxy
In /etc/privoxy/config change localhost:8118 to 127.0.0.1:8118. This is the same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections:
sudo sed -i 's/listen-address localhost:8118/listen-address 127.0.0.1:8118/g' /etc/privoxy/config
Restart privoxy:
sudo service privoxy force-reload
Configure DansGuardian
You will likely want to customize some filtering options. In particular, you may want to comment (#) or uncomment options in these files:
- /etc/dansguardian/lists/bannedextensionlist
- /etc/dansguardian/lists/bannedsitelist
- /etc/dansguardian/lists/bannedurllist
Squid
In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration":
sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf
Set filterip equal to 127.0.0.1:
sed -i 's/filterip =/filterip = 127.0.0.1/g' /etc/dansguardian/dansguardian.conf
Set daemonuser equal to 'proxy':
sed -i 's/#daemonuser = 'dansguardian'/daemonuser = 'proxy'/g' /etc/dansguardian/dansguardian.conf
Set daemongroup equal to 'proxy':
sed -i 's/#daemongroup = 'dansguardian'/daemongroup = 'proxy'/g' /etc/dansguardian/dansguardian.conf
Set accessdeniedaddress equal to 'http://localhost/cgi-bin/dansguardian.pl':
sed -i 's/accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'/accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'/g' /etc/dansguardian/dansguardian.conf
Change the Dansguardian log folder to the correct ownership and start Dansguardian:
sudo chown -R proxy:proxy /var/log/dansguardian sudo /etc/init.d/dansguardian start
Privoxy
In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration"
sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf
By default dansguardian uses squid, change the port to privoxy in /etc/dansguardian/dansguardian.conf
sudo sed -i 's/proxyport = 3128/proxyport = 8118/g' /etc/dansguardian/dansguardian.conf
start dandguardian
sudo service dansguardian start
Configure iptables
If this is a shared computer parents and children should have unique login accounts. Other wise you can set it up to block everything for everyone.
Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118 Children can surf the web + adblock + dansguardian by pointing firefox to port 8080
Squid
Allows root (needed for apt-get …)
sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
Allows privoxy to connect to ports 80 and 443
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
Blocks everyone but privoxy
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP
Allows dansguardian to connect to privoxy.
sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT
Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.
sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT
Blocks all other connections to privoxy.
sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -j DROP
Privoxy
Allows root (needed for apt-get …)
sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
Allows privoxy to connect to ports 80 and 443
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
Blocks everyone but privoxy
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP
Allows dansguardian to connect to privoxy.
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT
Blocks all other connections to privoxy.
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP
Configure your iptables settings to be active at boot
If UFW is not installed
Save your settings.
sudo bash -c "iptables-save > /etc/dansguardian/iptables.save"
Delete line with "exit 0" in /etc/rc.local
sudo sed -i "/exit 0/d" /etc/rc.local
Add lines to end of rc.local
echo "iptables-restore /etc/dansguardian/iptables.save exit 0 " >> /etc/rc.local
If UFW is installed
In /etc/ufw/before.rules comments out -A ufw-before-output -o lo -j ACCEPT
sudo sed -i 's/-A ufw-before-output -o lo -j ACCEPT/#-A ufw-before-output -o lo -j ACCEPT/g' /etc/ufw/before.rules
In /etc/ufw/before.rules delete lines # don't delete the 'COMMIT' line or these rules won't be processed
sudo sed -i "/# don't delete the 'COMMIT' line or these rules won't be processed/d" /etc/ufw/before.rules
In /etc/ufw/before.rules delete lines COMMIT
sudo sed -i "/COMMIT/d" /etc/ufw/before.rules
Append lines to /etc/ufw/before.rules. Just like before you must change 'USER' to your login Name. If you get "bash: /etc/ufw/before.rules: Permission denied" manually add everything between the " " to /etc/ufw/before.rules:
Squid
sudo echo "# Rules for Dansguardian -A ufw-before-output -m owner --uid-owner root -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -j DROP -A ufw-before-output -o lo -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT " >> /etc/ufw/before.rules
Privoxy
sudo echo "# Rules for Dansguardian -A ufw-before-output -m owner --uid-owner root -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP -A ufw-before-output -o lo -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT " >> /etc/ufw/before.rules
CONFIGURE SYSTEM PROXY
Set up system proxy settings.
gsettings set org.gnome.system.proxy mode 'manual' gsettings set org.gnome.system.proxy.http host 'localhost' gsettings set org.gnome.system.proxy.http port 8080
Finally
Download blacklists from a site such as http://urlblacklist.com/?sec=download
tar -xzf bigblacklist.tar.gz sudo mv blacklists /etc/dansguardian/blacklists sudo chown -R root:root /etc/dansguardian/blacklists
To allow Ubuntu updates to pass through the filter, add the following to the end of /etc/dansguardian/lists/exceptionextensionlist:
# Archives & packages .bz2 .gz .tbz2 .tar .deb .gpg