This post is dedicated to the Children of Ubuntu
As a parent you might wish to restrict your children(s) access to certain web sites (pr0n). In this tutorial I will demonstrate how to do this as easily as possible, without the need to manually maintain white and black lists. The combined use of dansguardian + privoxy is easy to configure and a few “simple” iptables rules lock down the web access.
The key thing to understand is dansguardian needs another proxy server. Most tutorials use squid, which although full featured, IMO squid is complex and a bit of over kill.
Privoxy is easier than squid to configure and has additional features including privacy and ad blocking capabilities.
As an alternate to this tutorial you could consider or squid + dansguardian. This option does not offer either the ad blocking or privacy of Privoxy, although you may add SquidGuard. IMO, squid is both a bit of overkill and takes more time to configure.
If you are interested in SquidGuard see :
Dansguardian = content filtering made easy.
Privoxy = adblock + additional privacy (compared to squid) + (IMO) easier to configure.
Step 1 : Install Dansguardian + privoxy
sudo apt-get -y install privoxy dansguardian
Step 2: Configure privoxy
Using any editor, open /etc/privoxy/config
sudo nano /etc/privoxy/config
Edit the following lines:
I know, same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections.
sudo service privoxy force-reload
Step 3: Configure dansguardian
Using any editor, open /etc/dansguardian/dansguardian.conf
Remove the line
UNCONFIGURED - Please remove this line after configuration
near the top of the file.
By default dansguardian uses squid, change the port to privoxy
proxyport = 8118
service dansguardian start
Setp 5: Configure iptables
Now, for the icing on the cake, add a few rules to iptables
sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner bodhi -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP
For those not familiar with iptables:
The first line allows root (needed for apt-get …)
The second line allows privoxy to connect to ports 80 and 443
The third line blocks everyone but privoxy
The forth line allows dansguardian to connect to privoxy.
The fifth line allows bodhi (parents) to connect to privoxy thus circumventing dansguardian.
Obviously change to “bodhi” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.
The last line blocks all other connections to privoxy.
Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118
Children can surf the web + adblock + dansguardian by pointing firefox to port 8080
Obviously parents and children should have unique login accounts.
Setp 6: Configure your iptables settings to be active at boot
Iptables – Use this section if you DO NOT use UFW
Save your settings:
sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”
Using any editor, open /etc/rc.local and add the following line (above exit 0)
UFW – Use this section if you use UFW
Or if you use ufw …
Using any editor open /etc/ufw/before.rules
1. Comment out the line (near the top of the file):
#-A ufw-before-output -o lo -j ACCEPT
At the bottom of the file, above the “COMMIT” line, add:
# Rules for Dansguardian
-A ufw-before-output -m owner –uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner bodhi -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -j DROP
-A ufw-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
To configure Firefox to use a proxy :
Edit -> Preferences
Click on the “Advanced” tab at the top right
Click on the “Network” tab at the upper left (underneath “General” and “Tabs” )
Click the “Settings” tab on the Right …
Select “Manual proxy configuration”
Under HTTP Proxy enter localhost
Under HTTP Port enter 8080 for dansguardian (Children) or 8118 for privoxy (Parents)
Check off the “Use this proxy server for all protocols”
If you wish to set a proxy for command line applications (wget, curl, etc), put this in ~/.bashrc (at the end of the file)
Children : export http_proxy=’localhost:8080′
Parents: export http_proxy=’localhost:8118′