Skip to content
Blog HOWTO setup Squid Proxy & DansGuardian Internet Content Filter in ubuntu and fedora

HOWTO setup Squid Proxy & DansGuardian Internet Content Filter in ubuntu and fedora

For Ubuntu

Installing Apache

$ sudo aptitude install apache2

Setting a Static IP Address
Now make sure that you have a static IP address

$ sudo vi /etc/network/interfaces

And change the following (bold) to match your network

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1

Press Esc then :wq to save and exit. After saving the file, you must now restart the networking process

$ sudo /etc/init.d/networking restart

Installing and Configuring Squid
Install the Squid Proxy Server

$ sudo aptitude install squid

If you want to change the default port that squid listens on [3128], change the http_port tag using vi, making a backup copy first

$ sudo cp /etc/squid/squid.conf /etc/squid/squid.conf_backup
$ sudo vi /etc/squid/squid.conf
change the line
#http_port 3128
to (or just add the line)
http_port 8080

OK, now we’ll setup who is allowed access to the proxy. Find the http_access section (should start around line 1860) Uncomment these 2 lines and add your network allocations

acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks

Note: If you get a startup error ‘FATAL: Could not determine fully qualified hostname. Please set visible_hostname’ you will also need to modify the visible_hostname tag

visible_hostname localhost

Save the file and close (Esc :wq).

Installing and Configuring DansGuardian
To install DansGuardian, use the following command

$ sudo aptitude install dansguardian

Note: if you get an error “Couldn’t find any package whose name or description matched “dansguardian””…try

$ sudo gedit /etc/apt/sources.list
Add this lines:
# deb http://pt.archive.ubuntu.com/ubuntu/ jaunty universe
# deb -src http://pt.archive.ubuntu.com/ jaunty universe
then
$ sudo apt-get update
$ sudo aptitude install dansguardian

Once the package is installed, edit the following lines in the conf file to match, this will set DansGuardian to do basic filtering and use Squid as its proxy server.

# UNCONFIGURED
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

To configure banned/exception sites based on either phrases, ip addresses, urls, mime type, etc… you would need to edit one of the following files. All files are located in /etc/dansguardian/

bannedextensionlist
bannediplist
bannedmimetypelist
bannedphraselist
bannedregexpurllist
bannedsitelist
bannedurllist
banneduserlist

exceptioniplist
exceptionphraselist
exceptionsitelist
exceptionurllist
exceptionuserlist
exceptionvirusextensionlist
exceptionvirusmimetypelist
exceptionvirussitelist
exceptionvirusurllist

Restarting Squid and DansGuardian
Whenever a file is edited, it is good practice to restart both Squid and DansGuardian services by using the following commands

$ sudo /etc/init.d/dansguardian stop
$ sudo /etc/init.d/squid stop
$ sudo /etc/init.d/squid start
$ sudo /etc/init.d/dansguardian start

## to see if the service is running
$ ps –e | grep dansguardian

Now that Squid and DansGuardian are configured, test it by setting up your browser to use the proxy server with port 8080.

For Fedora

All of the commands are done from Terminal.

1. In Terminal log into root with the su – command and type your root password. The space – after su is necessary to get root’s path.

su –

2. In Terminal enter the following command to install Squid.

yum install squid -y

3. Find out your DNS nameserver by entering in Terminal the following command:

cat /etc/resolv.conf

In my case the screen output showed:

nameserver 192.168.1.1

Another way you can find out your DNS nameserver is by entering from Terminal in Root:

ip route

and seeing the output on the second line.

Remember the nameserver value because you need to add it to the squid.conf file.
4. In your favorite text editor (I use gedit) open up /etc/squid/squid.conf. Find the line that says

http_port 3128

and add 127.0.0.1: before 3128 and the word transparent after 3128 so that it looks like this:

http_port 127.0.0.1:3128 transparent

5. Find the line

#cache_effective_user squid

Remove the hash mark in front of it, and under that line, add:

cache_effective_group squid

The two lines should therefore look like this:

cache_effective_user squid
cache_effective_group squid

6. At the end of the file, type

dns_nameservers

followed by a space and enter the value of the namerserver of your machine. In my case the last line looks like this:

dns_nameservers 192.168.1.1

7. Note: In Fedora 11 Preview on June 3, 2009, I also had to add to squid.conf the line:

visible_hostname = myhostname

or Squid would not start.
8. Save the file and exit the text editor.
9. Go to http://dag.wieers.com/rpm/packages/dansguardian/ and download the latest Dansguardian that matches your CPU architecture, either the .i386.rpm or the .x86_64.rpm.
10. In your favorite text editor, open /etc/dansguardian/dansguardian.conf
11. Search for the word filterip and edit that line adding 127.0.0.1 after filterip = so it looks like this:

filterip = 127.0.0.1

12. Search for the words daemonuser and daemongroup. Remove the hash marks before them, and change the word ‘nobody’ between the single quote marks to the word ‘squid’. It should look like this:

daemonuser = ‘squid’
daemongroup = ‘squid’

13. Save the file and exit the editor program.
14. Setup Iptables with the following commands:

iptables -t nat -A OUTPUT -p tcp –dport 80 -m owner –uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp –dport 3128 -m owner –uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp –dport 80 -j REDIRECT –to-ports 8080
iptables -t nat -A OUTPUT -p tcp –dport 3128 -j REDIRECT –to-ports 8080
iptables-save > /etc/sysconfig/iptables
service iptables restart

15. Change ownership of two directories with the following commands:

chown -R squid /var/log/dansguardian
chgrp -R squid /var/log/dansguardian
chown -R squid /var/spool/squid

16. Enter the following commands:

chkconfig httpd on
chkconfig squid on
chkconfig dansguardian on
service squid start
service dansguardian start

17. If you use Gnome, enter in Terminal:

gnome-network-preferences

In the Network Proxy Preferences click on Manual proxy configration to put a dot in the circle. Enter the value of 127.0.0.1 in the HTTP proxy section. The Port should already have the value of 8080. You need to do this in order for your browser, Yum, PackageManager, Gnome Weather, Google earth and any other application that uses the HTTP port to be able to connect to the Internet after doing all of the above. I’m sure KDE has some similar system proxy configuration GUI.

If you get an error message that either Squid or Dansguardian could not start, the most likely reason is ownership was not set correctly as mentioned in point 6. I had to manually change ownership to Squid for it to work. The ownership was previously a number: 501.

Note that unless both Squid and Dansguardian are running after you make changes to Iptables and restart it, you won’t be able to access any Internet content at all! After Internet traffic is set with Iptables to go through Squid and Dansguardian, both must be running properly or you won’t have any Internet access whatsoever until you either fix the problem or reset Iptables as it was by default.

Dansguardian would not permit me to download even compressed files after it was up and running. I had to edit the configuration files in /etc/dansguardian/ in order to permit Dansguardian to allow the download of certain files. Specifically I put hash (#) marks in front of certain lines in /etc/dansguardian/bannedextensionlist and /etc/dansguardian/bannedmimetypelist. Of course these files can only be edited with root access and so unless one knows the root password, I do not see how anyone can undermine Dansguardian’s effectiveness.

For more and original post for fedora see http://linux.jamesjpn.com/how-to/dansguardian-install.html


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.