Web-filtering with Squid, SquidGuard, and Dansguardian

(Note: this is a modified repost of a reply to this thread (Child-Proofing Linux) on Tek-Tips Forums.)

(UPDATE – This post is superceded by this one: HOWTO – Child-Proofing Internet Access on Kubuntu – use it instead.

I did this successfully, with some digging around on Google. I use Mandriva 2007 for both home PCs, one is for the kids, and I use transparent redirection in iptables so there is no browser preference modification needed (and it works on all browsers, including text-only). I installed everything from source tarballs – it was simpler to tie it all together this way. The end result – per-user proxy restrictions, so I am exempt but the kids are not, and they are time-limited to between 7am and 9pm for web access. I also get emails of blocked attempts. They do not use IM, so this only applies to web access. Several false-positives, so a little tweaking of the blacklist files might be needed… I posted a write-up on this earlier here, but I think this one goes into better detail and is a little easier to follow. Here are the steps I took:

1. Download the following (there may be newer versions, but definitely need db-2.7.7):

2. Unpack the downloaded files:

  • tar xvfz db-2.7.7.tar.gz
  • tar xvfj squid-2.6.STABLE5-20061110.tar.bz2
  • tar xvfz dansguardian-
  • tar xvfz squidGuard-1.2.0.tar.gz

3. Make user, group, and firewall rules (iptables commands may appear wrapped in two lines):

  • groupadd -r squid
  • useradd -g squid -d /var/spool/squid -s /bin/false -r squid
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
  • iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner exemptuser -j ACCEPT (change exemptuser)
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
  • iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

4. Make BerkelyDB – must be 2.x version, not newer, not older:

  • cd db-2.7.7/dist && ./configure && make && make install

5. Make squid v.2-6:

  • cd squid-2.6.STABLE5-20061110
  • ./configure --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-cachemgr-hostname=hostname --enable-arp-acl --enable-htcp --enable-ssl --enable-forw-via-db --enable-cache-digests --enable-default-err-language=English --enable-err-languages=English --enable-linux-netfilter --disable-ident-lookups --disable-internal-dns && make && make install (this is one long wrapped command from ./configure to make install)

6. Make squidGuard v.1.2:

  • cd squidGuard-1.2.0 && ./configure && make && make install

7. Make dansguardian v.2.9.8:

  • cd dansguardian-
  • mkdir /usr/local/dansguardian
  • ./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid --enable-email=yes && make && make install (./configure command is wrapped)

8. Make and configure squid directories:

  • mkdir /usr/local/squid/var/cache
  • chown -R squid:squid /usr/local/squid/var
  • chmod 0770 /usr/local/squid/var/cache
  • chmod 0770 /usr/local/squid/var/logs

9. Make and configure squidGuard directories:

  • mkdir /usr/local/squidGuard
  • mkdir /usr/local/squidGuard/log
  • chown -R squid:squid /usr/local/squidGuard/log
  • chmod 0770 /usr/local/squidGuard/log
  • mkdir /var/log/squidguard
  • touch /var/log/squidguard/squidGuard.log
  • touch /var/log/squidguard/ads.log
  • touch /var/log/squidguard/stopped.log
  • chown -R squid.squid /var/log/squidguard
  • mkdir /var/lib/squidguard
  • mkdir /var/lib/squidguard/db
  • mkdir /var/lib/squidguard/db/blacklists
  • mkdir /var/lib/squidguard/db/blacklists/ok
  • chown -R squid:squid /var/lib/squidguard

10. Make and configure dansguardian directories:

  • chown -R squid:squid /usr/local/dansguardian/var/log

11. Edit and copy configs from respective source directories:

  • cp squid.conf /usr/local/squid/etc/squid.conf
  • sample squid.conf settings:
    • http_port transparent
    • icp_port 0
    • htcp_port 0
    • redirect_program /usr/local/bin/squidGuard
    • cache_effective_user squid
    • cache_effective_group squid
    • acl all src
    • acl manager proto cache_object
    • acl localhost src
    • acl to_localhost dst
    • acl allowed_hosts src
    • acl SSL_ports port 443
    • acl Safe_ports port 80 21 443 # http ftp https
    • ##acl Safe_ports port 21 # ftp
    • ##acl Safe_ports port 443 # https
    • ##acl Safe_ports port 1025-65535 # unregistered ports
    • acl CONNECT method CONNECT
    • acl NUMCONN maxconn 5
    • acl ACLTIME time SMTWHFA 7:00-21:00
    • #http_access allow manager localhost
    • #http_access deny manager
    • http_access deny manager all
    • http_access deny !Safe_ports
    • http_access deny CONNECT !SSL_ports
    • http_access allow localhost ACLTIME
    • http_access deny NUMCONN localhost
    • #http_access allow allowed_hosts
    • http_access deny to_localhost
    • http_access deny all
    • http_reply_access allow all
    • #icp_access allow allowed_hosts
    • #icp_access allow all
    • icp_access deny all
    • visible_hostname localhost
  • cp squidGuard.conf /usr/local/squidGuard/squidGuard.conf
    • change ip gateway address in squidGuard.conf
  • cp dansguardia*.conf /usr/local/dansguardian/etc/dansguardian/
  • sample dansguardian.conf settings:
  • sample dansguardianf1.conf settings:
    • groupmode = 1
  • cp getlists.sh file to /usr/local/bin
  • cp etc-shorewall-start /etc/shorewall/start (change user name)
  • cp etc-shorewall-stop /etc/shorewall/stop (change user name)
  • cp etc-rc.local /etc/rc.local

12. Start or restart services as needed:

  • chkconfig iptables on
  • chkconfig shorewall on
  • service iptables restart
  • service shorewall restart
  • /usr/local/squid/sbin/squid -z (first-time config)
  • /usr/local/squid/sbin/squid -N -d 1 -D (test squid, kill when working fine)
  • /usr/local/squid/sbin/squid (this also runs squidGuard from "/usr/local/bin/squidGuard")
  • /usr/local/dansguardian/sbin/dansguardian
  • /usr/local/bin/getlists.sh (takes a very long time, and may need to be killed and run a couple of times)
  • /usr/local/squid/sbin/squid -k reconfigure
  • /usr/local/dansguardian/sbin/dansguardian -Q

13. Post-install testing and tweaking:

  • test with browser – should be transparent proxy surfing now, works with lynx as well
  • set up a mailer for notifications:
  • used postfix, pointed it to your mailserver.isp.domain
  • postfix needs /etc/postfix/transport and /etc/postfix/generic
  • dansguardian.conf calls it with ‘sendmail -t’ command
  • for non-authenticated use, do not set ‘by user = on’ in dansgaurdianf1.conf

14. Edit squid.conf and set up time based access, to prevent late night surfing (add the following lines):

  • acl ACLTIME time SMTWHFA 7:00-21:00 (add to the ACL section)
  • http_access allow localhost ACLTIME (add to the http_access section)

Final notes: This probably will not work exactly as posted, especially if you use newer versions than I posted, so be prepared to tweak. Read through the squid.conf, squidGuard.conf, dansguardian.conf, and dansguardianf1.conf files for other options and file locations, and refer to the University of Google for further help with options and error messages. I had to play around with configure options for a while before I could get squid to compile, so be ready to to the same, depending on your setup. This all runs on a local box, which is not used to proxy any other computers – instead, I just do not allow them to use the main computer. I sincerely hope this helps someone secure their kids’ computers. I have set this up on a friend’s home PC as well, and they are very happy with the results. Good luck!

10 Responses

  1. Its correct redirect_program?? i think no more in 2.6 version of squid…

  2. Cristian – yes, this line invokes squidGuard. If a newer version of squid 2.6 has eliminated or changed the syntax, let me know and I’ll post a correction update.

  3. Hi, after install the Dansguardian 2.9.X.X, the system service was not created automatically. so no matter “service dansguardian start” or “chkconfig –list |grep dansguardian”, also cannot find dansguardian, how can I overcome this problem?

  4. Ryan, I manually start the services in /etc/rc.local. As far as adding new services, depending on your distro, you would add a script to /etc/rc.d/init.d/ and link it to a S## link in /etc/rc.d/rc3.d/. You would also need to link the shutdown script as K## in /etc/rc.d/rc0.d/ and /etc/rc.d/rc6.d/.

    Basically. I have never done this, so Google Is Your Friend, but this *should* allow the service command to pick it up with –start, –restart, –reload, and –status options, depending on how you write the script, as well as allow chkconfig to see it. You can probably find example scripts already written. Again, Google Is Your Friend.

    If you get it working, lemme know – I would be happy to post your solution, giving you full credit, or link to your article.

    Good luck!

  5. If you have a solution for forcing dansguardian to pass the ip address to the proxy (Squid) instead of using the localhost Ip, Kindly share as I believe so many others are wondering how to go about it. I really appreciate the tutorials above

  6. Bonnie – I was scratching my head over this for a bit, but I think I know the reason behind this. Correct me if I am wrong, but you are proxying several computers and want to know which of them is trying to go to banned web sites?

    The links I found that address this indicate using the “X-Forwarded-For” header entry via the “forwarded_for =” parameter in dansguardian.conf. The links that I referred to are:

    1. http://dansguardian.org/?page=faq#c1
    2. http://linsec.ca/bin/view/Main/DansGuardian
    3. http://squid.sourceforge.net/follow_xff/ (patch for older squid versions to support this – 2.6 may already have this)

    Hope this helps!

  7. […] an MP3 From a YouTube Flash (FLV) Download…SCM SCR-331 USB Smartcard Reader – Firmware Upgrade Web-filtering with Squid, SquidGuard, and DansguardianHOWTO – Vanilla Kernel, VMware Server 1.0.8, and Kubuntu 8.04…Using DoD CAC and SmartCard […]

  8. Thank you for some other informative site. Where else may just I get that type of info written in such an ideal method? I have a undertaking that I’m just now running on, and I have been at the look out for such information.

  9. Hello, I was just reading this and thought I would take the time to write a short note to inform you all that we offer blacklists tailored specifically for Squid proxy native acl, as well as alternative formats for the most widely used third party plugins. So we invite you all to check us out. We take a great deal of pride in the fact that our works offer a higher degree of quality than the freely available options. Our lists are also compatible with UrlFilterdb.

    Blacklists Tailored For Squid Proxy – http://www.squidblacklist.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: