<> <> ##See: Servers/DansGuardian ##DansGuardian is no longer in the Ubuntu repositories, and has been replaced by e2guardian. = Dansguardian Internet Content Filtering = == Description == DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters. DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block. == Proxy Choice == With DansGuardian you can use what ever proxy you want, the most common being Squid and Privoxy. Bellow are two ways to install DansGuardian with Squid or Privoxy. === Squid === Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS. === Privoxy === Privoxy is a non-caching web proxy with filtering capabilities for enhancing privacy, manipulating cookies and modifying web page data and HTTP headers before the page is rendered by the browser. Privoxy is a "privacy enhancing proxy", filtering Web pages and removing advertisements. Privoxy can be customized by users, for both stand-alone systems and multi-user networks. Privoxy can be chained to other proxies and is frequently used in combination with Squid and can be used to bypass Internet censorship. It is also bundled with Tor to increase privacy. == Installation == === Squid === Install clamav-freshclam, iptables, DansGuardian and squid: {{{ sudo apt-get install clamav-freshclam iptables dansguardian squid }}} === Privoxy === Install clamav-freshclam, iptables, privoxy and DansGuardian: {{{ sudo apt-get -y install clamav-freshclam iptables privoxy dansguardian }}} == Configure Proxy == === Squid === In /etc/squid/squid.conf make "http_port" transparent: {{{ sudo sed -i 's/http_port 3128/http_port 3128 transparent/g' /etc/squid3/squid.conf }}} In /etc/squid/squid.conf add always_direct allow all: {{{ sudo sed -i 's/# always_direct allow local-servers/always_direct allow all/g' /etc/squid3/squid.conf }}} Start Squid: {{{ sudo squid start }}} === Privoxy === In /etc/privoxy/config change localhost:8118 to 127.0.0.1:8118. This is the same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections: {{{ sudo sed -i 's/listen-address localhost:8118/listen-address 127.0.0.1:8118/g' /etc/privoxy/config }}} Restart privoxy: {{{ sudo service privoxy force-reload }}} == Configure DansGuardian == You will likely want to customize some filtering options. In particular, you may want to comment (#) or uncomment options in these files: * /etc/dansguardian/lists/bannedextensionlist * /etc/dansguardian/lists/bannedsitelist * /etc/dansguardian/lists/bannedurllist === Squid === In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration": {{{ sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf }}} Set filterip equal to 127.0.0.1: {{{ sed -i 's/filterip =/filterip = 127.0.0.1/g' /etc/dansguardian/dansguardian.conf }}} Set daemonuser equal to 'proxy': {{{ sed -i 's/#daemonuser = 'dansguardian'/daemonuser = 'proxy'/g' /etc/dansguardian/dansguardian.conf }}} Set daemongroup equal to 'proxy': {{{ sed -i 's/#daemongroup = 'dansguardian'/daemongroup = 'proxy'/g' /etc/dansguardian/dansguardian.conf }}} Set accessdeniedaddress equal to 'http://localhost/cgi-bin/dansguardian.pl': {{{ sed -i 's/accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'/accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'/g' /etc/dansguardian/dansguardian.conf }}} Change the Dansguardian log folder to the correct ownership and start Dansguardian: {{{ sudo chown -R proxy:proxy /var/log/dansguardian sudo /etc/init.d/dansguardian start }}} === Privoxy === In /etc/dansguardian/dansguardian.conf Comment out the line "UNCONFIGURED - Please remove this line after configuration" {{{ sudo sed -i 's/UNCONFIGURED - Please remove this line after configuration/#UNCONFIGURED - Please remove this line after configuration/g' /etc/dansguardian/dansguardian.conf }}} By default dansguardian uses squid, change the port to privoxy in /etc/dansguardian/dansguardian.conf {{{ sudo sed -i 's/proxyport = 3128/proxyport = 8118/g' /etc/dansguardian/dansguardian.conf }}} start dandguardian {{{ sudo service dansguardian start }}} == Configure iptables == If this is a shared computer parents and children should have unique login accounts. Other wise you can set it up to block everything for everyone. Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118 Children can surf the web + adblock + dansguardian by pointing firefox to port 8080 === Squid === Allows root (needed for apt-get …) {{{ sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT }}} Allows privoxy to connect to ports 80 and 443 {{{ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT }}} Blocks everyone but privoxy {{{ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP }}} Allows dansguardian to connect to privoxy. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT }}} Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT }}} Blocks all other connections to privoxy. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 3128 -j DROP }}} === Privoxy === Allows root (needed for apt-get …) {{{ sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT }}} Allows privoxy to connect to ports 80 and 443 {{{ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT }}} Blocks everyone but privoxy {{{ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP }}} Allows dansguardian to connect to privoxy. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT }}} Allows USER (parents) to connect to privoxy thus circumventing dansguardian. don't use if shared computer. Change to “USER” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT }}} Blocks all other connections to privoxy. {{{ sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP }}} == Configure your iptables settings to be active at boot == === If UFW is not installed === Save your settings. {{{ sudo bash -c "iptables-save > /etc/dansguardian/iptables.save" }}} Delete line with "exit 0" in /etc/rc.local {{{ sudo sed -i "/exit 0/d" /etc/rc.local }}} Add lines to end of rc.local {{{ echo "iptables-restore /etc/dansguardian/iptables.save exit 0 " >> /etc/rc.local }}} === If UFW is installed === In /etc/ufw/before.rules comments out -A ufw-before-output -o lo -j ACCEPT {{{ sudo sed -i 's/-A ufw-before-output -o lo -j ACCEPT/#-A ufw-before-output -o lo -j ACCEPT/g' /etc/ufw/before.rules }}} In /etc/ufw/before.rules delete lines # don't delete the 'COMMIT' line or these rules won't be processed {{{ sudo sed -i "/# don't delete the 'COMMIT' line or these rules won't be processed/d" /etc/ufw/before.rules }}} In /etc/ufw/before.rules delete lines COMMIT {{{ sudo sed -i "/COMMIT/d" /etc/ufw/before.rules }}} Append lines to /etc/ufw/before.rules. Just like before you must change 'USER' to your login Name. If you get "bash: /etc/ufw/before.rules: Permission denied" manually add everything between the " " to /etc/ufw/before.rules: === Squid === {{{ sudo echo "# Rules for Dansguardian -A ufw-before-output -m owner --uid-owner root -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -m owner --uid-owner USER -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 3128 -j DROP -A ufw-before-output -o lo -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT " >> /etc/ufw/before.rules }}} === Privoxy === {{{ sudo echo "# Rules for Dansguardian -A ufw-before-output -m owner --uid-owner root -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT -A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner USER -j ACCEPT -A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP -A ufw-before-output -o lo -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT " >> /etc/ufw/before.rules }}} == CONFIGURE SYSTEM PROXY == Set up system proxy settings. {{{ gsettings set org.gnome.system.proxy mode 'manual' gsettings set org.gnome.system.proxy.http host 'localhost' gsettings set org.gnome.system.proxy.http port 8080 }}} == Finally == Download blacklists from a site such as http://urlblacklist.com/?sec=download {{{ tar -xzf bigblacklist.tar.gz sudo mv blacklists /etc/dansguardian/blacklists sudo chown -R root:root /etc/dansguardian/blacklists }}} To allow Ubuntu updates to pass through the filter, add the following to the end of /etc/dansguardian/lists/exceptionextensionlist: {{{ # Archives & packages .bz2 .gz .tbz2 .tar .deb .gpg }}}