Dansguardian Internet Content Filtering

Description

DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.

Installation

sudo apt-get install clamav-freshclam iptables dansguardian squid

Download blacklists from a site such as http://urlblacklist.com/?sec=download

tar -xzf bigblacklist.tar.gz
sudo mv blacklists /etc/dansguardian/blacklists
sudo chown -R root:root /etc/dansguardian/blacklists

Configuration

You will likely want to customize some filtering options. In particular, you may want to comment (#) or uncomment options in these files:

  • /etc/dansguardian/lists/bannedextensionlist
  • /etc/dansguardian/lists/bannedsitelist
  • /etc/dansguardian/lists/bannedurllist

Edit /etc/squid/squid.conf: Make these options appear as shown.

...
http_port 3128 transparent
...
always_direct allow all
...

Start Squid:

sudo squid start

Edit /etc/dansguardian/dansguardian.conf:

...
#UNCONFIGURED - Please remove this line after configuration
...
filterip = 127.0.0.1
...
daemonuser = 'proxy'
...
daemongroup = 'proxy'
...
accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'
...

Change the Dansguardian log folder to the correct ownership and start Dansguardian:

sudo chown -R proxy:proxy /var/log/dansguardian
sudo /etc/init.d/dansguardian start

Now configure iptables to redirect internet traffic through the filter system:

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
sudo iptables-save > iptables
sudo mv iptables /etc/dansguardian/iptables

Create a script in /etc/rc2.d, such as S60iptables:

/sbin/iptables-restore < /etc/dansguardian/iptables

Make sure the script is executable:

sudo chmod 750 /etc/rc2.d/S60iptables

As an alternative to the above script, you can simply install the iptables-persistent package.

Finally, to allow Ubuntu updates to pass through the filter, add the following to the end of /etc/dansguardian/lists/exceptionextensionlist:

# Archives & packages
.bz2
.gz
.tbz2
.tar
.deb
.gpg

DansGuardian (last edited 2011-08-27 16:42:31 by samazon)