DansGuardian with Tinyproxy
without IP-Tables for Gnome and KDE

Installation Guide for Linux Internet Filter

DansGuardian is a freely available, reliable word-based content filter offering protection from Internet filth like pornography, violence and racism. Read more at http://www.dansguardian.org/. This Guide is based on my own experience on a single-user personal computer with Gentoo-Linux and the Gnome Desktop installed.

If you are already a Gnome user, installation is really simple, you only need to pay attention to points 1-3 here below.

Recommended Software:

  1. DansGuardian Version 2.8.0
  2. Tinyproxy Version 1.6.2
  3. Gnome Version 2.10

Newer versions of the programmes should also work, else just install those mentioned!

1. DansGuardian

What is DansGuardian? It is a free for non-commercial use, freely configurable, highly efficient content filter for Internet traffic. It works very fast, filtering according to the following criteria:
  1. PICS/ICRA Standard (voluntary categorising system for offensive (or other) Internet sites, placed in the "header" section of the HTML code). Because it has not gained wide acceptance yet, it cannot serve as a reliable filter on its own, yet in combination with other filtering systems it has proven very useful, e.g. for filtering sites that include offensive pictures without text. Many "adult" and other sites do submit to the Icra classification system (including the one you are visiting at the moment!).
  2. MIME and data types (filters endings like *.exe etc.), freely adaptable, the default setting being very conservative since almost no files are allowed for download
  3. Words / word parts in any language (German, English among others already included in default)
  4. "weighted phrase lists", i.e. certain word combinations are filtered if they exceed a given allowed percentage (may be set from liberal to very restrictive)
  5. blocked URLs (have to be added by hand, there are however additional "Blacklists" available on the Internet for anyone to use)

The content filter is very impressive even in its present settings. By default, it filters pornographical material and racist and otherwise vile language for many languages. The word filter is very intelligent. For instance, it doesn't just block the word "sex" categorically (which of course is not always used in a pornographical context and in languages like English can just mean "gender"), but reacts to clusters of similar (offensive) words and word combinations. The extent of allowed "clusters" can be set to taste, while the default setting seems quite reasonable as it is. The afore-mentioned lists are accessible to the system administrator (root) and are freely adaptable to the needs. There are additional Blacklists (blocked sites) available, but the filter is quite adequate even without them.

DansGuardian is included in many popular Linux distributions. If that is not the case for your distribution, you may download the programme free of charge from DansGuardian Download as long as it is for non-commercial use. The filter works immediately after installation with the default settings, changes may be necessary for the file /etc/dansguardian/dansguardian.conf, the following 3 settings being important:

  1. filterport = 8080
  2. proxyip = 127.0.0.1
  3. proxyport = 3128

Some distributions (notably Debian) add the following lines at the top of dansguardian.conf:
# Comment this line out once you have modified this file to suit your needs
# UNCONFIGURED

So just delete the # in front of UNCONFIGURED!

2. Tinyproxy

A proxy is a programme that comes between your computer and the Internet, regulating the data flow. Tinyproxy is an exceptionally slim and fast proxy, and very easy to configure. It works as a transparent proxy, which means that it is invisible to other software using it. I have tried Squid and Oops before (both are reported to work with DansGuardian), but Tinyproxy ist clearly your favourite if you're like myself and want to get started without much hassle.

As I said, any Internet request ist filtered by DansGuardian before it reaches the browser. The proxy then acts as a go-between connecting DansGuardian to the Internet. Tiny Tinyproxy ist included in some Linux distributions like Gentoo, which is commendable. Just install it, and it will work for you like a weasel.

If it is not included in your distribution you can download the most recent version from http://sourceforge.net/projects/tinyproxy/. To install, just open a console, log in as root and move to the directory of the file just downloaded, entering the following commands:

  1. cd directory
  2. tar xzf filename.tar.gz

A new sub-directory by the name of tinyproxy-Version will be created. Change to it and enter the following:

  1. ./configure
  2. make & make install

(By the way, these instructions are also true for DansGuardian, in case it is missing in your distribution and you have to compile it for yourself, using a downloaded tar file. This is not true for rpms!)

Now that the programme is installed, change the following 4 lines in /etc/tinyproxy/tinyproxy.conf

  1. User root
  2. Group root
  3. Port 3128
  4. ViaProxyName "tinyproxy"

To start, just enter tinyproxy in the root console.

Ideally, DansGuardian and Tinyproxy should be loaded through their corresponding Init Scrips at boot time (your system creates so-called Init Scripts if the programmes are part of your distribution, but not if you have to download them manually). It is important that the proxy is launched first, otherwise DansGuardian will exit. So among your Init Scripts (located in /etc/conf.d or /etc/init.d) find the files named dansguardian and tinyproxy and assign the start order correctly - e.g. for tinyproxy to start in runlevel "boot" and dansguardian in runlevel "default". In case you are not familiar with runlevels and Init scripts, see option below with "local.start" under point 5.

3. Gnome

Gnome - the swift alternative to the wide-spread KDE graphical desktop environment! For Gnome users and anyone who wishes to become one, automatic redirection of Internet traffic to the port DansGuardian uses is quite easiy. It is possible to force all HTTP traffic through another port with just a few Gnome commands. (These settings can also be made in Gnome's so-called gconf-editor, a graphical programme to the same effect, but it should be used with extreme caution since these settings are quite crucial and delicate).

As far as I know, this kind of redirection only works for Gnome's in-built browsers Epiphany or Galeon. For any other browser the proxy has to be set in the browser - or else by using iptables (see below), which is safer because it cannot easily be overridden.

To set the mandatory proxy in Gnome, enter the following 5 commands one after the other, as root in a console (just copy them over one by one, and don't break the line before the end of each command!), then restart Gnome.

  1. gconftool-2 --shutdown
  2. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=bool --set /system/http_proxy/use_http_proxy true
  3. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set /system/http_proxy/host localhost
  4. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=int --set /system/http_proxy/port 8080
  5. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set /system/proxy/mode manual

If you want to make sure that your Internet protection cannot be circumvented by using another browser you should delete Mozilla and/or Firefox, or block the executable. Epiphany needs the Mozilla/Firefox libraries to run, therefore one of these browsers is installed automatically alongside with Epiphany. So you can't just uninstall Mozilla/Firefox altogether, but rather block or delete the binary. To block it, enter as root:

  1. chmod 444 /usr/bin/mozilla
  2. chmod 444 /usr/bin/firefox
(makes it non-executable for root and users) - or, to delete it (which is even safer!), enter:
  1. rm /usr/bin/mozilla
  2. rm /usr/bin/firefox

4. KDE

Even for the KDE desktop environment you need not necessarily go to the trouble of setting iptable redirection rules, although it is true that they're harder to break than other settings. So just go to the KDE Control Centre, and there in the section "Proxy Server" tick the boxes "manual" and "permanent connection". Then click on "Setting" and for HTTP Proxy enter 127.0.0.1 and 8080.
Again, these settings are only recognised by the KDE in-built browser Konqueror. For any other browser the proxy must be set individually (i.e. in the browser itself or through IP-Tables, see below). For additional safety the proxy settings can be made unchangeable for users with the KDE Kiosk tool (this should be part of your KDE distribution, if not download it from Kiosktool.

5. IP-Tables

This is the safest way to redirect Internet connections on any system other than Gnome, but alas, it can only be understood and managed by experts! To start with, ip-tables must be supported by the Linux kernel, which seems to be the case in most modern distributions. If you are lucky, the following 3 commands will do the job and you will be able to redirect your traffic in no time. Try it in your console. If you are successful, your whole Internet traffic will immediately go through port 8080 - and you won't have a running Internet connection left unless DansGuardian is running. In order for the redirection to be in effect right from system start, you should add these lines to your /etc/conf.d/local.start or /etc/rc.d/rc.local file (similar names are possible, see your distribution specifics).

  1. modprobe iptable_nat
  2. echo 1 > /proc/sys/net/ipv4/ip_forward
  3. iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

(instead of -A OUTPUT you could also try -A PREROUTING which seems to work with some people)

Hereafter you might want to add the lines

  1. tinyproxy
  2. dansguardian
in case you haven't succeeded with your Init Scripts (see above).

6. Making your own Start Script

If you couldn't find any local.start script in your Linux distribution the following trick will do:

1. Create a new file with any name, let's call it local.start for simplicity's sake, preferably in the /etc directory:

  1. touch /etc/local.start
Then, as root, edit the file in a text editor. The first line must be:
  1. #!/bin/sh
Below add any of the commands explained above, taking a new line for each one.

2. Make the file executable with the command:

  1. chmod 755 /etc/local.start

3. In the file /etc/inittab add the following line:

  1. lo:2345:once:/etc/local.start

Thus the programmes will be executed automatically at boot time.

Good luck!
P. Vollmar

Home

German
E-Mail