Web Content Filtering in Ubuntu 14.04

This tutorial covers the setup for web content filtering in Ubuntu 14.04 using Dansguardian, Squid, and iptables.

The first step is to install the needed software:

$ sudo apt-get install squid dansguardian iptables clamav-freshclam

We’ll configure squid first. The file of interest is in /etc/squid3/squid.conf. Using your favorite text editor, make sure the following lines are set:

...
http_port 3128
...
always_direct allow all

NOTE: do not use the “transparent” setup (placing the word transparent after the port number in the squid config file). This causes all sorts of strange problems. For me, https worked fine but http was blocked completely.

Next, configure Dansguardian (/etc/dansguardian/dansguardian.conf). First, comment the line at the beginning of the file that begins with “UNCONFIGURED”. Then add (or modify existing lines to look like) the following lines:

filterip = 127.0.0.1
daemonuser = 'proxy'
daemongroup = 'proxy'
accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'

It’s important to note that if you do any web development, you will want to avoid running Dansguardian on a standard port (like the default of 8080). I prefer 8888:

filterport = 8888

Save the file and close your editor. Now we’re ready for iptables. Enter the following commands in the terminal:

$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

Be sure to replace the port numbers in the last two commands with the filterport number you set in the Dansguardian config.

Now, if you restart Dansguardian and squid, it should work ok, but after reboot, it won’t keep working because the iptables settings won’t persist. To keep them around, install one last package:

$ sudo apt-get install iptables-persistent

This package will ask you whether to save the current settings. Indicate that you want it to save for both ipv4 and ipv6. Then restart Squid 3 and Dansguardian:

$ sudo service squid3 restart
$ sudo service dansguardian restart

Viola! Your web content filtering system should be up and running. For more protection, you can download a blacklist from somewhere like here. Extract the lists and use the terminal to copy them to the right place and set permissions:

$ sudo mv blacklists /etc/dansguardian/blacklists
$ sudo chown -R root:root /etc/dansguardian/blacklists

Restart Dansguardian once more to have the lists take effect. You should be able to load regular websites fine, and if you try to access anything particularly questionable, Dansguardian will replace the page with a blocked site notification.

Enjoy!

Adam Nickle

About Adam Nickle

I'm a total nerd, intellectual explorer, number theory enthusiast, and computer science nut. I'll write about anything from math and programming to religion and science fiction, all of which play central roles in my life.
This entry was posted in Linux, Ubuntu. Bookmark the permalink.

4 Responses to Web Content Filtering in Ubuntu 14.04

  1. Hello, I was just reading this and thought I would take the time to write a short note to inform you all that we offer blacklists tailored specifically for Squid proxy native acl, as well as alternative formats for the most widely used third party plugins. So we invite you all to check us out. We take a great deal of pride in the fact that our works offer a higher degree of quality than the freely available options. Our lists are also compatible with UrlFilterdb.

    Quality Blacklists Tailored For Squid Proxy – http://www.squidblacklist.org

  2. Joey Joe-Joe Junior Shabadoo says:

    This works well until it comes to the port redirection part. I pasted in the rules exactly as written, but all HTTPS traffic gets through unfiltered and whitelisted HTTP traffic times out. HTTP traffic on the blacklist works as expected and shows the DG refusal page.

    • Mark Borley says:

      Joey – did you fix the problems with HTTPS traffic and whitelisted timeouts? Can you post the fixes please?
      Thanks,
      Mark

  3. Robert Bobkins says:

    Thanks so much! I saw several tutorials regarding this setup and none of them seemed to work. Now I finally have Dansguardian set up.

Leave a Reply

Your email address will not be published. Required fields are marked *