This tutorial covers the setup for web content filtering in Ubuntu 14.04 using Dansguardian, Squid, and iptables.
The first step is to install the needed software:
$ sudo apt-get install squid dansguardian iptables clamav-freshclam
We’ll configure squid first. The file of interest is in
/etc/squid3/squid.conf. Using your favorite text editor, make sure the following lines are set:
always_direct allow all
NOTE: do not use the “transparent” setup (placing the word transparent after the port number in the squid config file). This causes all sorts of strange problems. For me, https worked fine but http was blocked completely.
Next, configure Dansguardian (
/etc/dansguardian/dansguardian.conf). First, comment the line at the beginning of the file that begins with “UNCONFIGURED”. Then add (or modify existing lines to look like) the following lines:
filterip = 127.0.0.1
daemonuser = 'proxy'
daemongroup = 'proxy'
accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'
It’s important to note that if you do any web development, you will want to avoid running Dansguardian on a standard port (like the default of 8080). I prefer 8888:
filterport = 8888
Save the file and close your editor. Now we’re ready for iptables. Enter the following commands in the terminal:
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
Be sure to replace the port numbers in the last two commands with the filterport number you set in the Dansguardian config.
Now, if you restart Dansguardian and squid, it should work ok, but after reboot, it won’t keep working because the iptables settings won’t persist. To keep them around, install one last package:
$ sudo apt-get install iptables-persistent
This package will ask you whether to save the current settings. Indicate that you want it to save for both ipv4 and ipv6. Then restart Squid 3 and Dansguardian:
$ sudo service squid3 restart
$ sudo service dansguardian restart
Viola! Your web content filtering system should be up and running. For more protection, you can download a blacklist from somewhere like here. Extract the lists and use the terminal to copy them to the right place and set permissions:
$ sudo mv blacklists /etc/dansguardian/blacklists
$ sudo chown -R root:root /etc/dansguardian/blacklists
Restart Dansguardian once more to have the lists take effect. You should be able to load regular websites fine, and if you try to access anything particularly questionable, Dansguardian will replace the page with a blocked site notification.