Dansguardian Content Filtering With Transparent Proxy On Ubuntu 9.10 Karmic

Want to support HowtoForge? Become a subscriber!
 
Submitted by av1611 (Contact Author) (Forums) on Tue, 2010-01-12 12:09. :: Ubuntu | Security

Dansguardian Content Filtering With Transparent Proxy On Ubuntu 9.10 Karmic

This tutorial explains how you can add content filtering to an existing Ubuntu 9.10 system, and how you can prevent users from bypassing the filtering system. We will use Dansguardian content filtering to set up a transparent proxy.

Objectives:

1. Add content filtering to an existing Ubuntu system.
2. Prevent users from bypassing the filtering system.

 

Software:

Open a terminal and type:

user@system:~$ sudo apt-get install iptables dansguardian squid

 

Configuration:

1. Squid

Open a terminal and type:

user@system:~$ sudo gedit /etc/squid/squid.conf

Change this line:

http_port 3128

to

http_port 3128 transparent

Save the file, then open a terminal and type:

user@system:~$ sudo /etc/init.d/squid restart

 

2. Dansguardian

Open a terminal and type:

user@system:~$ sudo gedit /etc/dansguardian/dansguardian.conf

Change this line:

UNCONFIGURED

to:

#UNCONFIGURED

Save file then open a terminal and type:

user@system:~$ sudo /etc/init.d/dansguardian start

 

3. Test Proxy

Open Firefox.

Go to http://tits.com or any other known bad site.

The site should display.

Now in Firefox select:

Edit > Preferences > Advanced > Connection > Settings

Select Manual proxy configuration.

In the HTTP Proxy box type: 127.0.0.1 Port: 8080
Place a check in the box labeled Use this proxy server for all protocols.

Click OK then Close.

Go to http://google.com and Google should be displayed. Click Refresh and verify it's still working.

Go to http://tits.com or any other known bad site.

The site should show as blocked. You may have to hit refresh for this to work.

At this point, the proxy is working.

Now in Firefox select:

Edit > Preferences > Advanced > Connection > Settings

Select No proxy.

Click OK then Close.

 

4. Test iptables

iptables is the firewall for Ubuntu. If you are using a firewall front end such as shorewall, etc. then you will have to adapt the concept below to your particular configuration. On a clean install of Ubuntu, this will work as written.

Open a terminal and type:

user@system:~$ sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 8080

This tells the firewall that outgoing web requests that are made by anyone other than the proxy should be redirected to the proxy

Open Firefox:

Go to http://tits.com or any other known bad site.

The site should show as blocked. If so, the firewall is correctly configured as a transparent proxy.

Now, to make the changes permanent:

Open a terminal and type:

user@system:~$ sudo gedit /etc/init.d/tproxy

Add this line:

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 8080

Save and exit.

Issue this command to make the file executable:

user@system:~$ sudo chmod a+x /etc/init.d/tproxy

Issue this command to make the above script run at startup:

user@system:~$ sudo update-rc.d tproxy

That's it.

http://www.tranquilpenguin.com


Copyright (c) 2010 Osprey
Permission is granted to copy, distribute and/or modify the content of
this page under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is available at http://www.gnu.org/licenses/fdl.html
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Last step
Submitted by Feanor (not registered) on Thu, 2010-05-27 00:15.

I've gone through the article step by step, and everything seems to work except for the last step: when I type I've gone through the article step by step, and everything seems to work except for the last step: when I type "sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 8080" it doesn't block the page like it did when I manually entered the proxy info (if it helps, when I entered the proxy info in Firefox, I had to use my server's ip address instead of 127.0.0.1).

 Great article by the way, I hope to get my proxy server working soon!

 Ben

reply | view as pdf view as pdf
Changing browser proxy to 127.0.0.1:3128 bypasses DG ??
Submitted by Paul (not registered) on Sat, 2010-05-22 11:11.

Any tricks to stop users changing their proxy settings to local port 3128 ?


reply | view as pdf view as pdf
Re: Changing browser proxy to 127.0.0.1:3128 bypasses DG ??
Submitted by Phil (not registered) on Thu, 2011-02-03 15:24.

Bit of a late reply but...

If your proxy machine is remote from the desktop using it you can simply block access to port 3128 from anything other than the localhost so thats quite simple.

You post implies you're using this squid & dansguardian on the same machine from which browsing is taking place.

In that scenario I can confirm, if you only set up the iptables rule above and set proxy in browser to 127.0.0.1 3128 it bypasses dansguardian.

 The solution is to add the following iptables rule:

 iptables -t filter -A OUTPUT --protocol tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REJECT

This adds a packet filter that says, if any packet is sent to destination port 3128 and it is NOT owned by dansguardian then reject it. In short, a normal user trying to connect to squid directly on localhost gets rejected where as the dansguardian user is permitted. 

reply | view as pdf view as pdf
shell script
Submitted by Anonymous (not registered) on Tue, 2010-03-30 04:22.
I finished the shell script I mentioned in my last comment. I can't see how to add a link so here is the url: http://docs.google.com/leaf?id=0B7_pLr7oL6x2ODQ2YmRlMjctMzBiNy00MWI3LWI0YzgtNzJiMjJhYTQ1YmVj&hl=en just download and save to a directory then type: sudo bash dansguardian-transparent-config.sh I discuss it a little more on my blog. http://waytolinux.blogspot.com/2010/03/setting-up-dansguarian-parental-filter.html
reply | view as pdf view as pdf
update-rc.d command syntax correction
Submitted by oatkinson (not registered) on Mon, 2010-03-29 14:36.

The last command needs to be changed to

 sudo update-rc.d tproxy defaults

The latest version seems to require the defaults parameter.  When I get a chance I am going to write a script that does all of this automatically but I have to get the search and replaces right.  I will post it here when I get it done.  Thanks for this great resource, it has saved me tons of time.

 

reply | view as pdf view as pdf
Wrong port
Submitted by Anonymous (not registered) on Mon, 2010-01-18 17:50.
Correct line in Squid to match your setup is "http_port 8080 transparent"
reply | view as pdf view as pdf
Re: Wrong port
Submitted by Osprey (not registered) on Fri, 2010-03-26 17:08.

Um... I've been doing this setup for customers for a while... the doc works for me as written. Here is one issue I do have, however:

 If you go to google videos you can view pron there as long as it's portaled through them. How can I stop it :(

 

reply | view as pdf view as pdf
Re: Wrong port
Submitted by Anonymous proxy (not registered) on Tue, 2010-01-19 16:59.
Actually the configuration is correct. The port 8080 is used by Dansguardian whom forwards traffic to squid on 3128. All clients are connected to 8080 by iptables rules.
reply | view as pdf view as pdf
Re: Re: Wrong port
Submitted by Overcast (not registered) on Sat, 2010-02-13 03:27.
Confirmed, that port is for the 'backend' of dansguardian to talk to squid, then the users hit 8080 through dansguardian - this works, as is perfectly on Ubuntu 9.04 and Ubuntu 9.10
reply | view as pdf view as pdf