Comments on Dansguardian Content Filtering With Transparent Proxy On Ubuntu 9.10 Karmic

Correct line in Squid to match your setup is "http_port 8080 transparent"

Actually the configuration is correct. The port 8080 is used by Dansguardian whom forwards traffic to squid on 3128. All clients are connected to 8080 by iptables rules.

Confirmed, that port is for the 'backend' of dansguardian to talk to squid, then the users hit 8080 through dansguardian - this works, as is perfectly on Ubuntu 9.04 and Ubuntu 9.10

Works perfect on Ubuntu Server 11.10 - Thanx ;-)

Um... I've been doing this setup for customers for a while... the doc works for me as written. Here is one issue I do have, however:

 If you go to google videos you can view pron there as long as it's portaled through them. How can I stop it :(

The last command needs to be changed to

 sudo update-rc.d tproxy defaults

The latest version seems to require the defaults parameter.  When I get a chance I am going to write a script that does all of this automatically but I have to get the search and replaces right.  I will post it here when I get it done.  Thanks for this great resource, it has saved me tons of time.

I finished the shell script I mentioned in my last comment. I can't see how to add a link so here is the url: http://docs.google.com/leaf?id=0B7_pLr7oL6x2ODQ2YmRlMjctMzBiNy00MWI3LWI0YzgtNzJiMjJhYTQ1YmVj&hl=en just download and save to a directory then type: sudo bash dansguardian-transparent-config.sh I discuss it a little more on my blog. http://waytolinux.blogspot.com/2010/03/setting-up-dansguarian-parental-filter.html

Any tricks to stop users changing their proxy settings to local port 3128 ?

Bit of a late reply but...

If your proxy machine is remote from the desktop using it you can simply block access to port 3128 from anything other than the localhost so thats quite simple.

You post implies you're using this squid & dansguardian on the same machine from which browsing is taking place.

In that scenario I can confirm, if you only set up the iptables rule above and set proxy in browser to 127.0.0.1 3128 it bypasses dansguardian.

 The solution is to add the following iptables rule:

 iptables -t filter -A OUTPUT --protocol tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REJECT

This adds a packet filter that says, if any packet is sent to destination port 3128 and it is NOT owned by dansguardian then reject it. In short, a normal user trying to connect to squid directly on localhost gets rejected where as the dansguardian user is permitted. 

I've gone through the article step by step, and everything seems to work except for the last step: when I type I've gone through the article step by step, and everything seems to work except for the last step: when I type "sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 8080" it doesn't block the page like it did when I manually entered the proxy info (if it helps, when I entered the proxy info in Firefox, I had to use my server's ip address instead of 127.0.0.1).

 Great article by the way, I hope to get my proxy server working soon!

 Ben

Thanks for the tutorial.

I tried it, but I found that it works fine if you browse from the local machine where squid and dansguard installed, from the other machine, it does not work 

This is not a "transparent proxy"!  In a transparent proxy you do not need to adjust the browsers on the workstations, just put dansguardian and squid on the gw server to you network and then point internal servers to that IP as their default route and ALL port 80 traffic is routed to that server and cannot avoid dansguardian.  The users don't have access to the gateway box and must access from a workstation.  That's what the mean when they say "Transparent". 

After IP table change, even google stopped working.

Please help

after setting up even google is not working anymore, any guide for ubuntu 14.04?