Web content filtering made easy

This post is dedicated to the Children of Ubuntu

As a parent you might wish to restrict your children(s) access to certain web sites (pr0n). In this tutorial I will demonstrate how to do this as easily as possible, without the need to manually maintain white and black lists. The combined use of dansguardian + privoxy is easy to configure and a few “simple” iptables rules lock down the web access.

The key thing to understand is dansguardian needs another proxy server. Most tutorials use squid, which although full featured, IMO squid is complex and a bit of over kill.

Privoxy is easier than squid to configure and has additional features including privacy and ad blocking capabilities.

As an alternate to this tutorial you could consider or squid + dansguardian. This option does not offer either the ad blocking or privacy of Privoxy, although you may add SquidGuard. IMO, squid is both a bit of overkill and takes more time to configure.

If you are interested in SquidGuard see :

Ubuntu Wiki SquidGuard

Dansguardian = content filtering made easy.
Privoxy = adblock + additional privacy (compared to squid) + (IMO) easier to configure.

Step 1 : Install Dansguardian + privoxy

sudo apt-get -y install privoxy dansguardian

Step 2: Configure privoxy

Using any editor, open /etc/privoxy/config

sudo nano /etc/privoxy/config

Edit the following lines:

Change:

listen-address localhost:8118

To:

listen-address 127.0.0.1:8118

I know, same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections.

Restart privoxy

sudo service privoxy force-reload

Step 3: Configure dansguardian

Using any editor, open /etc/dansguardian/dansguardian.conf

Remove the line

UNCONFIGURED - Please remove this line after configuration

near the top of the file.

By default dansguardian uses squid, change the port to privoxy

proxyport = 8118

start dandguardian

service dansguardian start

Setp 5: Configure iptables

Now, for the icing on the cake, add a few rules to iptables

sudo iptables -A OUTPUT -m owner –uid-owner root -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -j DROP
sudo iptables -A OUTPUT -o lo -p tcp –dport 8118 -m owner –uid-owner dansguardian -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp –dport 8118 -m owner –uid-owner bodhi -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp –dport 8118 -j DROP

For those not familiar with iptables:

The first line allows root (needed for apt-get …)

The second line allows privoxy to connect to ports 80 and 443
The third line blocks everyone but privoxy

The forth line allows dansguardian to connect to privoxy.
The fifth line allows bodhi (parents) to connect to privoxy thus circumventing dansguardian.
Obviously change to “bodhi” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.

The last line blocks all other connections to privoxy.

Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118
Children can surf the web + adblock + dansguardian by pointing firefox to port 8080

Obviously parents and children should have unique login accounts.

Setp 6: Configure your iptables settings to be active at boot

Iptables – Use this section if you DO NOT use UFW

Save your settings:

sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”

Using any editor, open /etc/rc.local and add the following line (above exit 0)

iptables-restore /etc/dansguardian/iptables.save

exit 0

UFW – Use this section if you use UFW

Or if you use ufw …

Using any editor open /etc/ufw/before.rules

1. Comment out the line (near the top of the file):

#-A ufw-before-output -o lo -j ACCEPT

At the bottom of the file, above the “COMMIT” line, add:

# Rules for Dansguardian

-A ufw-before-output -m owner –uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner bodhi -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -j DROP
-A ufw-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

To configure Firefox to use a proxy :

Edit -> Preferences
Click on the “Advanced” tab at the top right
Click on the “Network” tab at the upper left (underneath “General” and “Tabs” )
Click the “Settings” tab on the Right …

Firefox Network Options

Select “Manual proxy configuration”
Under HTTP Proxy enter localhost
Under HTTP Port enter 8080 for dansguardian (Children) or 8118 for privoxy (Parents)
Check off the “Use this proxy server for all protocols”

Proxy options

If you wish to set a proxy for command line applications (wget, curl, etc), put this in ~/.bashrc (at the end of the file)

Children : export http_proxy=’localhost:8080′
Parents: export http_proxy=’localhost:8118′

This entry was posted in Linux and tagged , . Bookmark the permalink.

62 Responses to Web content filtering made easy

  1. bodhi.zazen says:

    @Bob – yes you can do that, you have to allow the owner/group access. If it is not working either you have the owner / group wrong or you need to add a rule earlier in iptables (order of your rules is important).

  2. Bob says:

    Thanks for the reply, I flushed the iptables rules to start again. Then did

    sudo iptables -A OUTPUT -m owner –uid-owner root -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner gpodder -j ACCEPT

    and got:

    iptables v1.4.12: owner: Bad value for “–uid-owner” option: “gpodder”
    Try `iptables -h’ or ‘iptables –help’ for more information.

    is it something other than “gpodder” I need to put here?

  3. Bob says:

    Seem to have got this working now. For anyone interested: I flushed the iptables, then created a new group “sudo addgroup gpodder” followed by “sudo usermod child_username -G gpodder” , then added the gpodder application to this new group: “sudo chgrp gpodder /usr/bin/gpodder”. Now after your second line of iptables commands I did ” sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –gid-owner gpodder -j ACCEPT” to allow access to this gpodder group and it seemed to work. I can’t see why setting the http_proxy variables for gpodder method didn’t work for gpodder, but there you go.

  4. bodhi.zazen says:

    @Bob – Congrats and thank you for taking the time to post your solution. Looks as if this has been a great learning opportunity for you.

  5. Bob says:

    @bodhi.zazen one thing I don’t understand is why that line works for privoxy out of the box? Why doesn’t one have to create a group for privoxy to employ that line? also why uid (user id) not gid (group id), I mean privoxy is not a user…so why does “uid-owner privoxy” work?

  6. Nathan says:

    I can’t get the IPtables working, I whenever I run the commands to config the tables dansguardian no longer works. I also posted about it here as well:

    http://ubuntuforums.org/showthread.php?t=2126356&p=12560943#post12560943

    This link also has a picture of the error I’m receiving

  7. Nathan says:

    I’m having a problem with the iptables,

    Without them I can access the web, dansguardian filters out ads/porn, but with them I get a privoxy error. Here is a link to the error:

    http://ubuntuforums.org/showthread.php?t=2126356&p=12560943#post12560943

  8. Pingback: Regarding Daniel: Ubuntu DansGuardian Rehabilitation Tutorial | | Sigh Hacker

  9. Pingback: Parental Controls In Ubuntu – Per User | Click & Find Answer !

  10. luke says:

    Hi

    My kids are now old enough that I don’t need dansguardian and privoxy now.
    I used your settings including transparency and speding up privoxy.
    How do I completely uninstall dansguardian and privoxy please.

    Thanks
    Luke.

  11. bodhi.zazen says:

    @luke – Remove the packages, clear your settings in your borwser(s) to not use a proxy, and clear iptables.

  12. Ikem says:

    > The forth line allows dansguardian to connect to _privoyx_.

    > _Privoyx_ is easier than squid to configure

    > The forth line allows dansguardian to connect to _privoyx_.

    You misspelled “Privoxy” several times.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>