Setting up DansGuardian on a single home PC running Ubuntu

I am available for hire! Usability evaluation and testing, software development, Moodle development. See portfolio


Please note: there are newer howtos at ubuntu forums (howto1, howto2). These are probably more thoroughly tested than mine is. Thanks.

Dansguardian (nowadays E2Guardian; see commercial options) is efficient, even mostly out-of-the-box web content filtering to protect from the filth flowing on the internet. On Ubuntu Linux (which rocks), do:

sudo apt-get install dansguardian tinyproxy firehol

Configure /etc/dansguardian/dansguardian.conf – at least you will have to comment the line saying UNCONFIGURED (but please do check out the other options in the file, they’re not hard), and then:

sudo dpkg-reconfigure dansguardian

should get you started – now you just need to set your web browsers to use the proxy on localhost at port 8080. If you want to make it more script kiddie proof, read on.

UPDATE: To stop anyone on your computer from going to dirty pages, it is perhaps the easiest to use FireHOL so you can avoid most of the iptables headaches. To force unconfigured browsers to use dansguardian: In /etc/firehol/firehol.conf you will need

transparent_squid 8080 "proxy root"

(note that squid/tinyproxy runs as username proxy in Ubuntu – and probably in Debian, too). Also, you will have to allow at least access to the outside world in FireHOL:

interface any world
policy drop
protection strong
client all accept

To stop people from using just squid/tinyproxy as a proxy, thus again bypassing dansguardian, you will need to add the following in the beginning of your /etc/firehol/firehol.conf.

iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP

(Thanks to Costa Tsaousis at FireHOL help forums. Also note: dansguardian runs as user dansguardian on Ubuntu.)

From DansGuardian with Tinyproxy:

Now that the programme is installed, change the following 4 lines in /etc/tinyproxy/tinyproxy.conf
User root
Group root
Port 3128
ViaProxyName “tinyproxy”

Squid was much slower than tinyproxy for me. Still, if you choose to use Squid instead of tinyproxy, I understand that you need to set up Squid as an intercepting proxy, so see those instructions as well.

An additional tip: to make dansguardian, tinyproxy, squid or firehol reread their configuration files, I found it easiest to say sudo /etc/init.d/PROGRAMNAME restart

There’s good documentation on the dansguardian site, and as a last resort feel free to ask me help in the installation, though I’m no expert. You might also try the FireHOL help forum for any filtering-specific questions, which I’m a novice at. Also, please comment. I must have forgotten a step or two. :)

This howto is in the public domain. Feel free to copy or modify.

Comments (imported from old blog on July 22, 2010)

shane wrote on April 09, 2006 at 03:40:

I’ve been using dansguardian with tinyproxy and have also tried with squid and it works when the browser is set to use a proxy but by setting it to use a direct connection it is easy to bypass dansguardian.
I’ve spent days trying different guides to setup a transparent proxy without success.
I’ve now found this guide and followed it to the letter but I am still able to bypass dansguardian by setting the browser to use direct connection.
Any ides?

pilpi (pilpi.net author) wrote on April 09, 2006 at 14:53:

Hi Shane,

So you’re running Ubuntu (or Debian[?]), right? At least the usernames are probebly different on other systems. Thus, you would need different usernames than proxy&root on the the transparent_squid line, to make firehol redirect all http requests (on port 80) to dansguardian (on port 8080). You can check the user tinyproxy/squid is running as with: “ps aux |grep [PROGRAMNAME]” on the console. Check the first column of any line that shows a running tinyproxy/squid.. That’s the username you should have on the transparent_squid line.

Do you have another firewall running? You could try to disable/uninstall it, since (if I’ve understood correctly) the firewall rules in firehol.conf should protect a desktop machine nicely. After that you can find out if FireHOL is actually running: unless you can think of a smarter way of finding out about FireHOL’s internal life, you could try port scanning your machine: take your browser to https://www.grc.com/x/ne.dl… and see if FireHOL is doing anything at all on your computer. With the configuration below no ports should be open to the outside world. Also, when you do “sudo /etc/init.d/firehol restart” after configuring FireHOL, does it print any errors?

Again, below what I think /etc/firehol/firehol.conf for a desktop machine (with no servers such as SSH or Apache running) should look like (in the actual order) :

iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp –dport 3128 -m owner ! –uid-owner dansguardian -j DROP

transparent_squid 8080 “proxy root”

interface any world
policy drop
protection strong
client all accept

shane wrote on April 10, 2006 at 00:59:

Thanks for your reply, I was running guarddog firewall and have now removed it and re-installed firehol.
ps aux |grep tinyproxy showed tinyproxy was running as root so I changed the transparent-squid line to “root root”
ps aux |grep dansguardian showed dansguardian running as 116, which is the GID for the group dansguardian. I’ve tried putting both dansguardian and 116 in the iptables -t filter line but I’m still getting the same results.
Firehol itself is working ok. If I stop it and run a firewall test I get a couple of stealthed ports and mostly closed ports.
If I start it and do the test again I am fully stealthed. There are no errors when starting/restarting firehol.
Just to check, am I right in thinking all unconfigured browsers should redirect through dansguardian? so I don’t need to point the browsers to 8080?
At the moment, when pointed at proxy 8080 all broswers are working ok dansguardian is blocking content.
If I switch back to the default direct connection, I am now getting this error – Cache Error!
The following error has occured: Unknown URL type (generated by tinyproxy)
If I point the browser to port 3128 and try to load a page it is endlessly trying to load it before timing out.
This is partially working in that dansguardian cannot be bypassed but ideally I would like the default connection to be redirected through dansguardian.
As I said I have followed lots of guides and this one certainly seems the most straightforward and simple and I can’t work out where it’s going wrong.
Thankyou for your patience.

shane wrote on April 11, 2006 at 02:24:

Yes, it’s me again. I managed to get this setup correctly using squid instead of tinyproxy.
If the browser is unconfigured or pointed to port 3128 or 8080 it is always directed through dansguardian and it is blocking content with all browsers.
However, I also find squid to be slower than tinyproxy so I would rather sort out the issues with that.
Can you confirm you are using the configuration above with tinyproxy?

The problem seems to be that tinyproxy is not a web caching proxy but I may be wrong.
Am I missing anything else that should be installed? I do tend to remove things I don’t think I’m gonna need.

Incidentally, I am using ubuntu (dapper) and also debian sid and suse 10.0, single desktop, single user (at the moment) and no servers.
With the dansguardian/firehol/squid setup it’s working on all 3 but with dansguardian/firehol/tinyproxy it won’t work with any of them.
Sorry if I’m beginning to bother you

pilpi (pilpi.net author) wrote on May 10, 2006 at 16:54:

No it’s ok. Somehow I had missed your comments and they were waiting for moderation in nucleus. Yeah, For me tinyproxy is working, and squid was much slower. I’ll try to look into it. Thanks for your patience.

pilpi (pilpi.net author) wrote on May 13, 2006 at 23:10:

Yeah, actually… I now seem to have the same problem for me as well as far as it comes to not setting those proxy settings in the browser. I think it did work at some point but certainly doesn’t, now. It might have been that I was using squid at the time and didn’t bother to check whether it worked with tinyproxy after switching, but I think not.

For me, it doesn’t actually make a difference since as long as not using a proxy doesn’t allow web usage, proxy usage is forced. Sorry, for now I don’t know how to help you.

Shane wrote on July 01, 2006 at 15:38:

pilpi,

I’m a different Shane. Thanks for this page, it has been very helpfull! Can you give me some info on setting up squidguard to work in this fashion? I can’t seem to get tinyproxy to work right. If I do a direct connection it bypasses dansguardian. I also followed these directions to the letter. Thanks for the easy great setup guide. Oh – I’m also using Kubuntu dapper.

pilpi (pilpi.net author) wrote on July 02, 2006 at 22:05:

Hi Shane (the 2th :),

Sorry, but I don’t know anything about squidguard. After all, I’m not sure about if tinyproxy works as my tutorial says, please read my discussion with the other shane above. The line ‘transparent_squid 8080 “proxy root”‘ in fireHOL config should prevent anyone but users proxy and root from accessing the web directly – you just have to make sure that whatever you filter with is in the port (8080) you specify here.

I’m not precisely sure about what you’re asking, though. Please clarify if this didn’t help.

-Olli

Rueshann wrote on July 07, 2006 at 01:43:

Pilpi and Shane the 1st :)

I have a working configuration of TinyProxy, Dansguardian, and Ubuntu Dapper. I have documented the steps I took along with changes to the config files at the link below in the Ubuntu Forums.

http://ubuntuforums.org/sho…

george wrote on October 11, 2006 at 12:36:

hi guys, can u tell me how to bypass dansguardian?

pilpi (pilpi.net author) wrote on October 24, 2006 at 11:20:

Also http://www.ubuntuforums.org… seems to have a newer howto. I haven’t time to check these out, but they’re probably more thought out than mine is, so I added links to the main post.

Nomad wrote on October 26, 2006 at 20:48:

I want to remove the Dansguardian completely from my ubuntu install.
@64 I don’t want it. How do I do that

pilpi (pilpi.net author) wrote on October 27, 2006 at 08:36:

Nomad: Just like you remove any software. Just uninstall all the packages mentioned here. Or you might also just want to reconfigure the firewall. On the command line: “man apt-get”.

adil wrote on November 21, 2006 at 03:31:

to force people to go through the squidguard/dansguardian, as i recall, you have to make your router accept web access only for the proxy server–then there’s no way out except through the filter. there are still ways around that, but it’s much harder.

arpi wrote on June 28, 2007 at 17:48:

Hi, I am using dansguardian on sidux (debian) I followed these instructions and they work fine. I have only one problem if I want to use checkgmail I have to be root to be able to set its proxy setting. I use the following command as root HTTPS_PROXY=”https://127.0.0.1:8080“; checkgmail

Do you have any ideas how to resolve this problem?

ser wrote on September 15, 2007 at 02:56:

i also use d the same howto http://ubuntuforums.org/sho…
and the big problem is firefox does not provide a password option for the preferences and that is making dansguardian useless the only solution is to provide a password function for firefox by the mozilla team or by the dansguardian team as an addon/extension

pilpi (pilpi.net author) wrote on September 15, 2007 at 08:29:

arpi, no, I don’t use that myself so I don’t know.

ser, I’m not quite sure what you mean. If you mean that people can bypass dansguardian by resetting the proxy preferences in the browser: that’s exactly what the above iptables command prevents. By using that, it does not matter what the proxy setting in the browser is; the filtering forwards traffic also from port 80 to outside through the dansguardian filter.

Digerati wrote on September 20, 2007 at 17:49:

Love this write up, it works great. Got one small problem now, I had the weather applet added to my panel and now it doesnt work. I am thinking it was making its requests across port 80 and now it cant. How can I reslove this?

Jonathan wrote on December 05, 2007 at 23:09:

Thank you for this how-to!!

Devils advocat wrote on January 31, 2008 at 17:08:

I need help with trying to get into my etc screen can anybody help????

Mathis Dirksen-Thedens wrote on March 15, 2008 at 16:23:

I have put together a howto document which describes the setup of DansGuardian with Squid and also includes the transparent proxy configuration. iptables is used to automatically redirect every HTTP connection through the filter. Read more at http://www.zephyrsoft.net/f…

Al wrote on April 26, 2008 at 16:18:

Thanks, 3 easy steps, one conclusion: IT WORKS!!! Thanks.

 

I am available for hire! Usability evaluation and testing, software development, Moodle development. See portfolio

Join the Conversation

6 Comments

  1. I have created the web application at http://filter-test.echoz.com to test if a keyword blocker like Dansguardian is active. If you need a quicker link you can also access http://snow.byethost17.com/filter-test/ directly since this page is only framed by http://filter-test.echoz.com. My application is called Block That and it is free for all kinds of use. If you like you can make it your homepage so that every time you fire up your browser you will know whether or not your browser is shielded. No need to visit disturbing website to test you keyword filter anymore.

  2. I installed just dansguardian with tinyproxy in a computer lab in a school, and they run perfect. The problem started after the network administrator installed a squid proxy applied to the entire school network. Squid was only installed but not configured to block anything, this suppose a problem to me because students can access everything. Well, here the real problem, the computer where I installed dansguardian can’t connect to internet directly but only if it is configured to use the squid proxy. I configured it and the computer can surf normally, but the others machines can’t reach any webpage. What can I do?

  3. Configure /etc/dansguardian/dansguardian.conf – at least you will have to comment the line saying UNCONFIGURED (but please do check out the other options in the file, they’re not hard), and then:

    sudo dpkg-reconfigure dansguardian
    What do you mean by “at least you will have to comment the line saying UNCONFIGURED”?

    UPDATE: To stop anyone on your computer from going to dirty pages, it is perhaps the easiest to use FireHOL so you can avoid most of the iptables headaches. To force unconfigured browsers to use dansguardian: In /etc/firehol/firehol.conf you will need

    transparent_squid 8080 “proxy root”
    Where does this go? What does it do? What is it’s purpose?

    This step-by-step guide, is not very step-by-step. I keep getting errors in terminal “Dansguardian has not been configured!” When I did just as the guide stated. I’m at a loss… can some one maybe make up a simple and straight forward GUI. I know it’s a lot to ask, but this is why people don’t use Linux. HELP, I’M STUCK!!!

  4. John,

    What do you mean by “at least you will have to comment the line saying UNCONFIGURED”?

    Not sure if that exists any more, but there was a line that said UNCONFIGURED in a fresh install. To get the software into use, you needed to remove (or comment out) that line. If it says “Dansguardian has not been configured!” it may be because you did not remove that line in /etc/dansguardian/dansguardian.conf .

    John, Antonio — Sorry. This is an old post and only online since people requested it. I no longer use dansguardian myself.

    I could not find a support forum for Dansguardian at first glance, but this seems to have popped up: a graphical configuration tool for Dansguardian at. Tried it? https://launchpad.net/dggui

  5. Squidblacklist.org is the worlds leading publisher of native acl
    blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms.

    There is room for a better blacklist, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

  6. Great article! Only one problem, Free Blacklists Suck!

    We specialize in serving intelligent network administrators high quality blacklists for effective, targeted inline web filtering.
    There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.

    It would be our pleasure to serve you,

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.