This post is dedicated to the Children of Ubuntu
As a parent you might wish to restrict your children(s) access to certain web sites (pr0n). In this tutorial I will demonstrate how to do this as easily as possible, without the need to manually maintain white and black lists. The combined use of dansguardian + privoyx is easy to configure and a few “simple” iptables rules lock down the web access.
The key thing to understand is dansguardian needs another proxy server. Most tutorials use squid, which although full featured, IMO squid is complex and a bit of over kill.
Privoyx is easier then squid to configure and has additional features including privacy and ad blocking capabilities.
As an alternate to this tutorial you could consider or squid + dansguardian. This option does not offer either the ad blocking or privacy of Privoxy, although you may add SquidGuard. IMO, squid is both a bit of overkill and takes more time to configure.
If you are interested in SquidGuard see :
Dansguardian = content filtering made easy.
Privoxy = adblock + additional privacy (compared to squid) + (IMO) easier to configure.
Step 1 : Install Dansguardian + privoxy
sudo apt-get -y install privoxy dansguardian
Step 2: Configure privoxy
Using any editor, open /etc/privoxy/config
sudo nano /etc/privoxy/config
Edit the following lines:
Change:
listen-address localhost:8118
To:
listen-address 127.0.0.1:8118
I know, same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections.
Restart privoxy
sudo service privoxy force-reload
Step 3: Configure dansguardian
Using any editor, open /etc/dansguardian/dansguardian.conf
Remove the line
UNCONFIGURED - Please remove this line after configuration
near the top of the file.
By default dansguardian uses squid, change the port to privoxy
proxyport = 8118
start dandguardian
service dansguardian start
Setp 5: Configure iptables
Now, for the icing on the cake, add a few rules to iptables
sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner bodhi -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP
For those not familiar with iptables:
The first line allows root (needed for apt-get …)
The second line allows privoxy to connect to ports 80 and 443
The third line blocks everyone but privoxy
The forth line allows dansguardian to connect to privoyx.
The fifth line allows bodhi (parents) to connect to privoxy thus circumventing dansguardian.
Obviously change to “bodhi” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.
The last line blocks all other connections to privoxy.
Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118
Children can surf the web + adblock + dansguardian by pointing firefox to port 8080
Obviously parents and children should have unique login accounts.
Setp 6: Configure your iptables settings to be active at boot
Iptables – Use this section if you DO NOT use UFW
Save your settings:
sudo bash -c "iptables-save > /etc/dansguardian/iptables.save"
Using any editor, open /etc/rc.local and add the following line (above exit 0)
iptables-restore /etc/dansguardian/iptables.save
exit 0
UFW – Use this section if you use UFW
Or if you use ufw …
Using any editor open /etc/ufw/before.rules
1. Comment out the line (near the top of the file):
#-A ufw-before-output -o lo -j ACCEPT
At the bottom of the file, above the “COMMIT” line, add:
# Rules for Dansguardian
-A ufw-before-output -m owner --uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner bodhi -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
-A ufw-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
To configure Firefox to use a proxy :
Edit -> Preferences
Click on the “Advanced” tab at the top right
Click on the “Network” tab at the upper left (underneath “General” and “Tabs” )
Click the “Settings” tab on the Right …
Select “Manual proxy configuration”
Under HTTP Proxy enter localhost
Under HTTP Port enter 8080 for dansguardian (Children) or 8118 for privoxy (Parents)
Check off the “Use this proxy server for all protocols”
If you wish to set a proxy for command line applications (wget, curl, etc), put this in ~/.bashrc (at the end of the file)
Children : export http_proxy=’localhost:8080′
Parents: export http_proxy=’localhost:8118′
Pingback: Tweets that mention Shadows of epiphany » Blog Archive » Web content filtering made easy -- Topsy.com
Very nice guide Bodhi.
Seriously there isn’t a check box.. “Enable Child Controls”?
There should be! my kids are coming up to web browsing age and I will be wanting this shortly doing this for more than one machine give me a headache…
If there isn’t I may consider making one in python dosn’t look to tricky…
google knows.. https://launchpad.net/webcontentcontrol
Jason : Would be nice if such controls existed, but this is the internet.
I would not configure this on multiple machines, set up a firewall or transparent proxy. Most of the how to’s on this are written for squid (as squid is more versatile).
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
In a nutshell what you have is a computer with 2 network cards set up as a firewall + a few rules for iptables to re direct traffic on port 80 to squid.
You can just as easily set up privoxy and dansguardian on a single central computer and use that ip address rather then localhost in firefox. You would then need to block port 80 on the client. Not exactly “transparent” but not too difficult either.
Jason : You can try that link, but IMO much of that information is outdated and you might want to look at this bug report :
https://bugs.launchpad.net/ubuntu/+source/dansguardian/+bug/474475
Which is why I wrote this blog …
This is a guide that is crying out for a decent GUI tool to wrap it all up. Especially some sort of global configuration of firefox and other tools dealing with proxies possibly somehow linked to a proper group membership that controls the access policy.
Martin: There are firefox extensions which allow you to manage proxies via a gui if that is what you are wanting.
What people see as OK is very different from place to place.
My parents would not care if I saw some p0rn, but they would never let me see anything like todays normal American children TV. To much commercials directed towards children and to much violence.
In fact my father said this to me as a small kid: “No one died of a good …. , violence kills.”. He also took me along for slaughtering of cows, elks, and sheep. It was seen as a natural part of nature.
It was never a secret where I came from.
Seems very usefull. However, the filter seems very american-centric.
That is: It filters out nudity, rather than violence.
Is there an European alternative that doesn’t block pictures of the human body, of which children should not be ashamed, but does block violent, political and militant stuff?
I’ve setup Dansguardian (with Squid). I have some iptables rules ready to go to make it a transparent proxy on my internal network (through Shorewall). To get started, I used the “big black list,” and enabled about half the rule “classes.” I’m trying to use the filter myself, but I’m finding that Dansguardian is _really_ strict. (I realize that it should err on the side of caution, but it tends to be almost unusable.) Although I’ve been training its settings, the process is painful and slow. It consists of getting blocked, logging into my box, editing a rule or adding a whitelist entry, and restarting Dansguardian. Have you found a more efficient way of getting started or changing the rules?
Also, I use FoxyProxy to great effect (since I have other proxies I need to deal with for work).
Martin: It is true there are no settings that could possibly work “out of the box”.
You may want to look at the dansguardian documentation to further configure the content filtering.
http://dansguardian.org/?page=documentation
Ralph: See my comments to Martin, same applies to you.
I do not think it is an “American vs European” issue, content filtering is both personal and contraversial.
You will see various languages in /etc/dansguardian.
For example,
ls /etc/dansguardian/lists/pornography
You will see less in /etc/dansguardian/lists/violence
It is variable.
David : As far as I know you have two options.
Smoothwall offers a commercial product(s)
http://www.smoothwall.net/products/schoolguardian/?howitworks
And there is a GUI maintained by UbuntuCE:
http://ubuntuforums.org/showthread.php?t=237355
http://ubuntuforums.org/showthread.php?t=1192578
I disagree with this line:
“Using any editor, open /etc/rc.local and add the following line (above exit 0)”
because if you put that in rc.local, it loads iptables last, thus leaving the network exposed.
1) To get iptables to save after reboot:
iptables-save > /etc/iptables.rules
2) and then do:
sudo gedit /etc/network/interfaces
3) Paste and edit this into the file /etc/network/interfaces and then control+s to save it.
Be sure to edit the IPs and whatever else is needed.
auto lo
iface lo inet loopback
iface eth0 inet static
pre-up iptables-restore < /etc/iptables.rules
address 192.168.100.4
netmask 255.255.255.0
gateway 192.168.100.1
auto eth0
Ron there is nothing wrong with your method, thank you for your suggestion.
FYI: Due to “concurrency” rc.local is not run last, and IMO, rc.local is acceptable as well. Search the Ubuntu forums and you will find examples of people reporting “rc.local does not run” and many times the problem is rc.local runs too soon.
You can write boot scripts, but if you change those they *may* get over written with updates or you can add a sleep to rc.local.
Pingback: uberVU - social comments
Pingback: Bodhi.Zazen: Web content filtering made easy | TuxWire
Ron: One other thing you should be aware of (sorry this slipped my mind the other day) …
NetworkManager will overwrite /etc/network/interfaces , so take care on a laptop/netbook or mobile device and watch that users can not reset these changes with NetworkManager.
Pingback: Shadows of epiphany » Blog Archive » How to transparent proxy
When I issue the command:
sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”
I receive an error stating:
bash: /etc/dansguardian/iptables.save”: Permission denied
Why on Earth would I (su) receive such a message?
@Chad: Probably a typo.
You need to quote the command
sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”
Without the quotes, sudo does not allow redirects or pipes.
Alternately you can become root with sudo -i
then
iptables-save > /etc/dansguardian/iptables.save
Thank you for this article. It has, indeed, made it very easy to set up content filtering for the kiddos.
I would also like to continue using a couple of proxy servers I have set up through FoxyProxy Basic. I use these only for iPlayer as they do not seem to work with any others, so I need to have it so that I can switch it off easily as well.
This tutorial encompasses my entire experience with iptables, so I need some really basic level help. I have done everything exactly as instructed above. Please help.
@Jon – What is it you are needing help with ?
I followed this and now the system that I installed it on no longer displays HTTPS pages. For instance, the facebook main page comes up, but when you try to logon, you get an error that claims the server is unreachable. Any ideas?
@ Derek Tombrello
Hard to say, is the problem just with facebook or all https connections /
If it is just facebook, try white listing facebook in privoxy.
If you have a pc savvy kid or user who wants to access certain sites, the kid may check out your proxy settings while you are away and modify his/hers accordingly in his own account. However, if you use firefox, you can download public fox add-on which will enable locking firefox options, history, preferences even downloads etc with a password.
@mbuotidem – that is why I use iptables rather then configuring browsers.
While that is a nice ff extension, what prevents someone from dl an alternate browser ?
Of course not much you can do (short of encryption) if they have root or physical access.
Step 6 save your settings I have copied and pasted
sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”
I recieve “Permission denied”
Tried as per comment 22.with sudo -i
iptables-save > /etc/dansguardian/iptables.save
Same
I would be grateful for any help
( I am new to Ubuntu so I have probably done something stupid )
John: Not sure, I presume a typo in your command ?
you need to use sudo , bash -c, and quotes around the redirect
sudo bash -c “iptables-save > /etc/dansguardian/iptables-save”
Thanks for your reply. I copied and pasted and then tried typing, same result “permission denied”
I continued on despite this and i changed firefox network settings for myself and my daughter as suggested. Everything appears to be working as i would expect.Rebooted it still appears to be ok.?????
@john s:
The only thing I can imagine is wrong for your command is that you’re making it a two-line command, just like it looks in the posts. It’s not though:
sudo bash -c “iptables-save > /etc/dansguardian/iptables-save”
Alternatively, just use su, become root, copy the file, and exit. I assume you have root access since it sounds like you’re using a personal computer.
John & Chad: The problem is that those aren’t really double quotes (0×22), for some reason they come out on this page as 0xE2. When pasting the command into terminal, delete and retype the surrounding quotes.
I’m not sure how Privoxy or DansGuardian are configured to use port 8080, but unfortunately this caused a conflict with a NetBeans module (GlassFish) which I need to use for doing web development. Neither GlassFish nor DansGuardian/Privoxy allowed me to reconfigure it to use a different port. I tried playing with the iptables to see if I could get around the deadlock, but ran out of time/patience.
Unfortunately, despite the sterling job that the parental control system was doing (I could leave my 14 year old son to browse the web without constant monitoring), I have found it necessary to uninstall it and restore the original iptables. Work has taken precedence.
This leads me to offer the advice to others to make sure that the file /usr/sbin/iptables-restore exists, and is the same size as /usr/sbin/iptables, before the iptables are re-configured. If not, mave a fresh copy. It saves a lot of trouble later if you want to restore your system to have uninhibited web access.
Perhaps you could amend your instructions to include this snippet of advice bodhi.
Lastly, thanks for going to the trouble of publishing these instructions for the likes of me who know just enough to be dangerous :-)
@Richard Berry
You configure these services by editing the config files.
For privoxy you edit the line “listen-address” in /etc/privoxy/config
Change
listen-address 127.0.0.1:8118
to
listen-address 127.0.0.1:8081
The numbers after the colon set the port.
Then re-start privoxy.
Similarly edit /etc/dansguardian/dansguardian.conf and set the ports you want to use.
For information on iptables see:
http://bodhizazen.net/Tutorials/iptables
There are many ways to manage your firewall =)
Pingback: security and a school computer lab
Thanks for the tutorial. Can you tell me what changes I would need to make for this to work as a proxy on my home network for remote (linux and windows) clients? For example, I assume that the IP tables section might have to be modified, but am pretty clueless as to how.
Easiest method is to use squid + dansguardian set up as a transparent proxy.
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
This requires a box (can be an old box) with two network cards.
Ah, bummer. I liked the idea of the additional ad blocking of Privoxy. Thanks for the tip, and I will continue my research.
You could use privoxy in place of squid if you wish, or even use all 3 privoxy + squid + dansguardian.
The advantage of squid is it may reduce your bandwidth as it is a caching proxy.
Thank you very much – works great!
Q: how to do have different sites allowed per user? Seems to me the only way is send them to different instances of DansGuardian, each running on a different port. Then configure each user’s proxy accordingly.
@anon – I do not think you can set user specific white/black lists with dansguardian or privoxy. You can, however, do just that with squid, but then you need to maintain user lists. Personally, I filter my children through dansguardian, and my browsing goes direct to privoxy.
Hi, great article.
Just one question, I use UFW so should I skip step 5?
Thanks