How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

This how-to describes how to install and configure Dansguardian with multi-group filtering, Squid with NTLM auth, ipmasq, and dnsmasq to provide a full internet gateway solution for small to medium sized networks. This how-to requires two NICs in order to preform firewalling and transparent proxying.

Install Debian Etch with the base system only.

 

Configure the base system

This how-to assumes you have the following configured:

eth0 with a static or dynamic IP as the external NIC and eth1 with the static address of 192.168.1.1/24 as the internal NIC

The base system install does not install SSH so we will do that now.

apt-get install ssh openssh-server

Now that SSH is installed you can finish the rest of this how-to
from within an SSH session if you wish.

ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load. We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.

Edit and add the following line to your /etc/apt/sources.lst:

deb http://download.webmin.com/download/repository sarge contrib
deb http://www.backports.org/debian etch-backports main contrib non-free

Adding the following info in /etc/apt/preferences tells Apt to only get ClamAV from backports.org.
Note: If a newer version then "0.91.2" of ClamAV comes out for Etch that fixes the bug then you may not have to preform this step.

Edit /etc/apt/preferences and enter the following:

Package: clamav
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-base
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-freshclam
Pin: release a=etch-backports
Pin-Priority: 999
Package: libclamav2
Pin: release a=etch-backports
Pin-Priority: 999

Update Apt, install some software, and configure Kerberos...

apt-get update
apt-get install debian-backports-keyring
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

You will be asked the following questions:

Note: The answers to these questions are case sensitive. You must answer them as in the example below.

Please specify the workgroup you want this server to appear to be in when queried by clients. <-- EXAMPLEDOMAIN

Modify smb.conf to use WINS settings from DHCP? <-- No

Kerberos servers for your realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

Administrative server for your Kerberos realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

dpkg-reconfigure krb5-config

And again some more questions.

Default Kerberos version 5 realm: <-- EXAMPLEDOMAIN.LOCAL

Does DNS contain pointers to your realm's Kerberos Servers? <-- Yes

 

Configure resolvconf and dnsmasq

Many internet connections are dynamic and because of this it can cause Kerberos to fail when the DNS servers are updated by pppd or dhcp. We installed resolvconf earlier which will help us solve the problem.

Edit  /etc/resolvconf/resolv.conf.d/head and add search exampledomain.local to line 3.

DNSmasq is a small dns forwarder and dhcp server which integrates into resolvconf

We need to verify that we have the right name servers in /var/run/dnsmasq/resolv.conf
Edit it to look like the example below.

nameserver <IP of domain controller>
nameserver <IP of primary ISP DNS server>
nameserver <IP of secondary ISP DNS server>

DNSmasq's config file needs to be modified for best preformance and security. Edit /etc/dnsmasq.conf make the nessisary changes listed below.

nano -c /etc/dnsmasq.conf

Uncomment lines 14 and 16
Uncomment line 71 and add eth0 to the end of the line.

Currently dnsmasq's DHCP feature is disabled but if you would like to use this feature then I would suggest starting at line 100 as the DHCP options start there. There are also some advanced options for DNS starting on line 307, such as configuring MX records and the like. Many more options are available but are beyond the scope of this how-to.

 

Set the domain controller as the time server

nano -c /etc/ntp.conf

Comment out lines 19 through 22 of /etc/ntp.conf and insert the following on line 23:

server domaincontroller.exampledomain.local iburst

 

Configure Samba and join the domain

First make a copy of your /etc/samba/smb.conf and then edit it.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano -c /etc/samba/smb.conf

Enter on line 53 interfaces = 192.168.1.1/255.255.255.0.
Uncomment line 59.
Uncomment line 91 and change to security = ads.
Uncomment lines 204 and 205.
Add the following lines before line 217:

winbind trusted domains only = yes
realm = EXAMPLEDOMAIN.LOCAL
winbind cache time = 3600

Restart samba, winbind and synchronize the time with the domain controller.

net time set -S domaincontroller
/etc/init.d/samba restart
/etc/init.d/winbind restart

Now join the domain

net ads join -U Administrator

If all went well you should be able to run the following with success.

wbinfo -t

The output should be "checking the trust secret via RPC calls succeeded"

wbinfo -u

This should list all users in the domain.

wbinfo -g

This should list all of the groups in the domain.

Share this page:

7 Comment(s)

Add comment

Comments

From: muncom, free online store at: 2009-06-22 22:25:05

Hi, can you make auth from different groups to manage differential bandwidth for each group?


 


thanks in advance


............................



 

From: Jose Perez at: 2009-08-08 16:03:18

Is it possible that you specify the contents of the lines that need to be changed/uncommented and not just the line numbers?


Great guide otherwise.

From: Robert at: 2010-06-07 23:05:59

This is a non sense tutorial


Just writing modify this line number that line number is a non sense


files may change between versions and the tutorial become useless.


While copying each modification would make the tutorial useable also with different files versions.


Kind regards


 R.

From: Anonymous at: 2010-11-16 09:43:16

absolute nonsense


etch is now defunct and the line numbers DO NOT align with those in lenny


 please update tutorial for lenny debian

From: at: 2009-03-27 12:17:54

First this was very helpful and I appreciate the info but I ran into two problems.  First I could no longer login to a secure website as java applet would not load.


After searching google and trying different things this seemed to work:


In /etc/squid/squid.conf
#added for java
acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.6.0_13 jupload/0.87
http_access allow Java


I think they need to be before "acl ntlm_auth proxy_auth REQUIRED" line.


 The second thing is that  /etc/dansguardian/lists/exceptioniplist because all the ips are 127.0.0.1.  I am not sure how to fix this problem yet.


Thanks again.  It is great to have filter groups working!

From: Anonymous at: 2009-09-23 08:17:19

This howto is great, but needs to be updated with at least the exact configuration parameters that need to be changed instead of "uncomment/change line 123", because default conf files of squid, samba, dansguardian change with release versions.


To be more specific, I am trying this on debian lenny and having trouble at  what exactly needs to be changed in samba and squid configurations.

From: Squidblacklist at: 2014-08-26 21:42:45

Allow me to introduce a better blacklist, we are Squidblacklist.org, the worlds leading publisher of native acl blacklists tailored specifically for use with Squid proxy, as well as  we also publish multiple alternative formats for all major third party plugins as well as many other filtering platforms, such as UFDBGuard and Barracuda Networks devices..

There is room for better blacklists, we intend to fill that gap.


It would be our pleasure to serve you.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org