This page describes how to create a LiveCD that is useful for providing internet web surfing in to anonymous users while still providing a degree of web filtering to avoid access to unsuitable sites.


The resulting LiveCD should not be considered fool proof and may not provide enough web filtering for your situation. There are no guarantees and the author cannot be held responsible for you use or misuse of the information here in. It is presented in the hopes that it will be useful. If it is not, that is your responsibility and you are free to further refine the instructions to meet you needs.


You should have some understanding of how to modify a LiveCD already. Please review LiveCDCustomization. These instructions will use that as a base but if you have read and understand those instructions, then these instructions will essentially replace the Customization section of that document.

Obtain the base system

Note: the example shown here uses the ubuntu-14.04.2-desktop-amd64.iso Desktop CD. Replace it with the name of your iso.

  • Move or copy it into an empty directory

mkdir ~/livecdtmp
mv ubuntu-14.04.2-desktop-amd64.iso ~/livecdtmp
cd ~/livecdtmp

Extract the CD .iso contents

Mount the Desktop .iso

mkdir mnt
sudo mount -o loop ubuntu-14.04.2-desktop-amd64.iso mnt

Extract .iso contents into dir 'extract-cd'

mkdir extract-cd
sudo rsync --exclude=/casper/filesystem.squashfs -a mnt/ extract-cd

Extract the Desktop system

Extract the SquashFS filesystem

sudo unsquashfs mnt/casper/filesystem.squashfs
sudo mv squashfs-root edit

Prepare and chroot

WARNING: If you do this in 14.04 LTS, you will lose network connectivity (name resolving part of it). /etc/resolv.conf is and should remain a symlink to /run/resolvconf/resolv.conf nowadays. To enable name resolving, temporarily edit that file instead. If you need the network connection within chroot

sudo cp /etc/resolv.conf edit/etc/

NOTE: Recommended that you do not do this unless you know what you're doing Depending on your configuration, you may also need to copy the hosts file

sudo cp /etc/hosts edit/etc/

The remaining steps are good, unlike the ones above:

sudo mount --bind /dev/ edit/dev
sudo chroot edit
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devpts none /dev/pts

(these mount important directories of your host system - if you later decide to delete the edit/ directory, then make sure to unmount before doing so, otherwise your host system will become unusable at least temporarily until reboot)

To avoid locale issues and in order to import GPG keys

export HOME=/root
export LC_ALL=C

Configure the LiveCD for Internet Kiosk use

Install and Configure Dansguardian

Enable The Universe Repository

sed -i 's/ main / main universe /g' /etc/apt/sources.list

Create temporary Proxy settings (if necessary)

export http_proxy=
export https_proxy=

Temporarily set the DNS servers

cat << EOF_TMPDNS > /run/resolvconf/resolv.conf

Update the package list

apt-get update

Install Dansguardian

apt-get -y install dansguardian squid

Configure Dansguardian

sed -i '/UNCONFIGURED.*/d' /etc/dansguardian/dansguardian.conf

#Ensure that any OpenDNS block page is allowed
echo >> /etc/dansguardian/lists/exceptionsitelist
echo >> /etc/dansguardian/lists/exceptionsitelist
echo >> /etc/dansguardian/lists/exceptionsitelist

Disable FreshClam updates

Dansguardian install ClamAV but there is no reason to update signatures on the live CD:

sed -i 's/Checks 24/Checks 0/g' /etc/clamav/freshclam.conf

Download and configure the blacklists

wget -q -O /root/bigblacklist.tar.gz ''
cd /etc/dansguardian/lists/
sudo tar xvfz /root/bigblacklist.tar.gz

Enable the list that you want to block by uncomenting lines that match:

sed -i -r '/artnudes|porn|violence|hacking|proxy|virusinfected|warez/ s/^#.I/.I/' /etc/dansguardian/lists/bannedsitelist
sed -i -r '/artnudes|porn|violence|hacking|proxy|virusinfected|warez/ s/^#.I/.I/' /etc/dansguardian/lists/bannedurllist

Install and Configure OpenDNS Updater


This section assumes that you have an account setup with OpenDNS to configure ddclient. The ddclient will update your IP address in your OpenDNS account so that the LiveCD will make use of the web site filtering that you have setup in your account.

Install and configure ddclient

apt-get -y install ddclient

cat << EOF_DDCLIENT > /etc/ddclient.conf 

Set DNS Servers to OpenDNS Servers

This section assumes that you are on a network that allows you to specify your own DNS server. If you are preparing the LivCD in an environment where only corporate DNS is allowed you will need to leave this step out or only enable it before you are ready to create the final CD.

Set the OpenDNS servers as the DNS servers

cat << EOF_DNS > /etc/resolvconf/resolv.conf.d/base

Prevent the DHCP Server from overriding your hard coded DNS server settings.

sed -i 's/#prepend domain-name-servers .*$/prepend domain-name-servers,' /etc/dhcp/dhclient.conf
sed -i 's/domain-name-servers, //' /etc/dhcp/dhclient.conf 

Configure the Timezone

If you want to set the TimeZone that your CD will be used in you can do the following:

dpkg-reconfigure tzdata

Remove the Live CD installer

For this use, there is no reason to have the installer. Removing it will allow you to boot directly into the desktop.

apt-get -y purge ubiquity

Install Google Chrome


Since Google Chrome has the ability to play Flash it is a good idea to install it:

echo "deb stable main" > /etc/apt/sources.list.d/google-chrome.list
wget -q -O - | sudo apt-key add -
apt-get update
apt-get -y install google-chrome-stable

Create Desktop Short Cut

cat << ENDCHROME > /etc/profile.d/
cp /usr/share/applications/google-chrome.desktop /home/ubuntu/Desktop/
chmod +x  /home/ubuntu/Desktop/google-chrome.desktop

Lock Preferences

mkdir -p /etc/opt/chrome/policies/managed
mkdir -p /etc/opt/chrome/policies/recommended
cat << END_CHROMEPREFS > /etc/opt/chrome/policies/managed/test_policy.json
  "DefaultBrowserSettingEnabled": false,
  "MetricsReportingEnabled": false,
  "BuiltInDnsClientEnabled": false,
  "RestoreOnStartup": 4,
  "RestoreOnStartupURLs": [""],
  "ProxyMode": "fixed_servers",
  "ProxyServer": "",
  "ForceSafeSearch": true,

Firefox Preferences Configuration

Lock Firefox preferences to set the proxy and home page

cat << EOF_FIREPREFS > /usr/lib/firefox/defaults/pref/all.corp.js
lockPref("browser.tabs.autoHide", false);
lockPref("network.proxy.share_proxy_settings", true);
lockPref("network.proxy.no_proxies_on", "localhost,");
lockPref("", false);
lockPref("browser.defaultbrowser.notificationbar", false);

Prevent Firefox from prompting to import settings from Chome

cat << EOF_FIREMIG > /usr/lib/firefox/browser/override.ini

System wide Proxy settings - experimental

cat << EOF_PROXIES > /etc/init/proxy.conf
# This task is run on startup to set proxy for the system to use Dansguardian

description     "set system proxy settings"

start on started dbus

# this is not a service


gsettings set org.gnome.system.proxy mode manual
gsettings set org.gnome.system.proxy.http host "\$HTTP_PROXY_HOST"
gsettings set org.gnome.system.proxy.http port "\$HTTP_PROXY_PORT"
gsettings set org.gnome.system.proxy.https host "\$HTTPS_PROXY_HOST"
gsettings set org.gnome.system.proxy.https port "\$HTTPS_PROXY_PORT"

sed -i.bak '/http[s]::proxy/Id' /etc/apt/apt.conf
tee -a /etc/apt/apt.conf <<EOF
Acquire::http::proxy "http://\$HTTP_PROXY_HOST:\$HTTP_PROXY_PORT";
Acquire::https::proxy "http://\$HTTPS_PROXY_HOST:\$HTTPS_PROXY_PORT";

sed -i.bak '/http[s]_proxy/Id' /etc/environment
tee -a /etc/environment <<EOF
end script

Miscellaneous LiveCD Changes

Disable the Keyboard Shortcuts Overlay

cat << EOF_OVERLAY > /etc/profile.d/
gsettings set org.compiz.unityshell:/org/compiz/profiles/unity/plugins/unityshell/ shortcut-overlay false

Remove the ubuntu user from sudo

To further protect the system from modification you need to remove the ability to sudo

rm -fr /etc/sudoers.d

#  comment out sudo and admin in the /etc/sudoers file
sed -r -i '/%admin|%sudo/ s/^/#/' /etc/sudoers

Disable the builtin webbrowser-app

There is a web browser built in to Ubuntu that I did not realize was there. It may support proxy options but sine there were better options available I simply disabled it.

chmod a-x /usr/bin/webbrowser-app

Remove some unnecessary packages

apt-get -y purge usb-creator-common usb-creator-gtk thunderbird-gnome-support thunderbird remmina-common remmina remmina-plugin-rdp remmina-plugin-vnc
apt-get -y autoremove

Create the LiveCD iso

Clean Up

apt-get clean
umount /proc || umount -lf /proc
umount /sys
umount /dev/pts

sudo chmod a+w extract-cd/casper/filesystem.manifest
sudo chroot edit dpkg-query -W --showformat='${Package} ${Version}\n' > extract-cd/casper/filesystem.manifest
sudo cp extract-cd/casper/filesystem.manifest extract-cd/casper/filesystem.manifest-desktop
sudo sed -i '/ubiquity/d' extract-cd/casper/filesystem.manifest-desktop
sudo sed -i '/casper/d' extract-cd/casper/filesystem.manifest-desktop

Compress the file system

sudo rm extract-cd/casper/filesystem.squashfs
sudo mksquashfs edit extract-cd/casper/filesystem.squashfs

sudo chmod a+w extract-cd/casper/filesystem.size
printf $(sudo du -sx --block-size=1 edit | cut -f1) > extract-cd/casper/filesystem.size

Create the CD/DVD

cd extract-cd
sudo rm md5sum.txt
find -type f -print0 | sudo xargs -0 md5sum | grep -v isolinux/ | sudo tee md5sum.txt
sudo mkisofs -D -r -V "$IMAGE_NAME" -cache-inodes -J -l -b isolinux/isolinux.bin -c isolinux/ -no-emul-boot -boot-load-size 4 -boot-info-table -o ../ubuntu-14.04.2-desktop-amd64-custom.iso .

LiveCDInternetKiosk (last edited 2017-09-25 23:59:55 by ckimes)