Computer Science

Monday, July 14, 2008

DansGuardian with Tinyproxy

Installation Guide for Linux Internet Filter

(Source http://www.vollmar.ch/dansguardian-e.html)

DansGuardian is a freely available, reliable word-based content filter offering protection from Internet filth like pornography, violence and racism. Read more at www.dansguardian.org. This Guide is based on my own experience on a single-user personal computer with Gentoo-Linux and the Gnome and XFCE4 graphical desktops installed.

If you are already a Gnome user, installation is really simple, you only need to pay attention to points 1-3 here below.

Recommended Software:

  1. DansGuardian Version 2.8 or 2.9
  2. Tinyproxy Version 1.6.3
  3. Gnome Version 2.14

Newer versions of the programs should also work, else just install those mentioned!

Brand new: Ubuntu CE does it all for you!

The popular Linux distribution Ubuntu has lately made a new appearance under the name of Ubuntu Christian Edition. This version deserves respect, since it offers everything the average computer user would wish for, including a fully functional DansGuardian with Tinyproxy and pre-installed IP-Tables, Firefox as the standard browser plus a comfortable tool named Parental Control for personal settings! Download: Ubuntu CE

Hence, the following instructions are now just for people who don't like Ubuntu. :-)

1. DansGuardian

What is DansGuardian? It is a free for non-commercial use, freely configurable, highly efficient content filter for Internet traffic. It works very fast, filtering according to the following criteria:
  1. PICS/ICRA Standard (voluntary categorising system for offensive (or other) Internet sites, placed in the "header" section of the HTML code). Because it has not gained wide acceptance yet, it cannot serve as a reliable filter on its own, yet in combination with other filtering systems it has proven very useful, e.g. for filtering sites that include offensive pictures without text. Many "adult" and other sites do submit to the Icra classification system (including the one you are visiting at the moment!).
  2. MIME and data types (filters endings like *.exe etc.), freely adaptable, the default setting being very conservative since almost no files are allowed for download
  3. Words / word parts in any language (German, English among others already included in default)
  4. "weighted phrase lists", i.e. certain word combinations are filtered if they exceed a given allowed percentage (may be set from liberal to very restrictive)
  5. blocked URLs (have to be added by hand, there are however additional "Blacklists" available on the Internet for anyone to use)

The content filter is very impressive even in its present settings. By default, it filters pornographical material and racist and otherwise vile language for many languages. The word filter is very intelligent. For instance, it doesn't just block the word "sex" categorically (which of course is not always used in a pornographical context and in languages like English can just mean "gender"), but reacts to clusters of similar (offensive) words and word combinations. The extent of allowed "clusters" can be set to taste, while the default setting seems quite reasonable as it is. The afore-mentioned lists are accessible to the system administrator (root) and are freely adaptable to the needs. There are additional Blacklists (blocked sites) available, but the filter is quite adequate even without them.

DansGuardian is included in many popular Linux distributions. If that is not the case for your distribution, you may download the program free of charge from DansGuardian Download as long as it is for non-commercial use. The filter works immediately after installation with the default settings, changes may be necessary for the file /etc/dansguardian/dansguardian.conf, the following 3 settings being important:

  1. filterport = 8080
  2. proxyip = 127.0.0.1
  3. proxyport = 3128

Some distributions (notably Debian) add the following lines at the top of dansguardian.conf:

  1. # Comment this line out once you have modified this file to suit your needs:
  2. # UNCONFIGURED

So just delete the # in front of UNCONFIGURED!

If you have DansGuardian up to version 2.8 you should watch the line

  1. usernameidmethodproxyauth = off
If you have it like this you can do without the lines for "User" und "Group" in tinyproxy.conf (see next paragraph).

2. Tinyproxy

A proxy is a program that comes between your computer and the Internet, regulating the data flow. Tinyproxy is an exceptionally slim and fast proxy, and very easy to configure. It works as a transparent proxy, which means that it is invisible to other software using it. I have tried Squid and Oops before (both are reported to work with DansGuardian), but Tinyproxy ist clearly your favourite if you're like myself and want to get started without much hassle.

As I said, any Internet request ist filtered by DansGuardian before it reaches the browser. The proxy then acts as a go-between connecting DansGuardian to the Internet. Tiny Tinyproxy ist included in some Linux distributions like Gentoo, which is commendable. Just install it, and it will work for you like a weasel.

If it is not included in your distribution you can download the most recent version from http://sourceforge.net/projects/tinyproxy/. To install, just open a console, log in as root and move to the directory of the file just downloaded, entering the following commands:

  1. cd directory
  2. tar xzf filename.tar.gz

A new sub-directory by the name of tinyproxy-Version will be created. Change to it and enter the following:

  1. ./configure --enable-transparent-proxy
  2. make & make install

(By the way, these instructions are also true for DansGuardian, in case it is missing in your distribution and you have to compile it for yourself, using a downloaded tar file. This is not true for rpms!)

Now that the program is installed, change the following 4 lines in /etc/tinyproxy/tinyproxy.conf

  1. User nobody
  2. Group nobody
  3. Port 3128
  4. ViaProxyName "tinyproxy"

To start, just enter tinyproxy in the root console.

Ideally, DansGuardian and Tinyproxy should be loaded through their corresponding Init Scrips at boot time (your system creates so-called Init Scripts if the programs are part of your distribution, but not if you have to download them manually). It is important that the proxy is launched first, otherwise DansGuardian will exit. So among your Init Scripts (located in /etc/init.d) find the files named dansguardian and tinyproxy and assign the start order correctly–e.g. for tinyproxy to start in runlevel "boot" and dansguardian in runlevel "default". In case you are not familiar with runlevels and Init scripts, see option below with "local.start" under point 5.

3. Gnome

Gnome – the swift alternative to the wide-spread KDE graphical desktop environment! For Gnome users and anyone who wishes to become one, automatic redirection of Internet traffic to the port DansGuardian uses is quite easiy. It is possible to force all HTTP traffic through another port with just a few Gnome commands. (These settings can also be made in Gnome's so-called gconf-editor, a graphical program to the same effect, but it should be used with extreme caution since these settings are quite crucial and delicate).

As far as I know, this kind of redirection only works for Gnome's in-built browsers Epiphany or Galeon. For any other browser the proxy has to be set in the browser (mostly in settings>proxy: 127.0.0.1:8080) – or else by using IP-Tables (see below), which is safer because it cannot easily be overridden. (By the way, if you haven't heard of it, Epiphany is a great, easy-to-use browser with only few settings to worry about. If Firefox is a Jumbo, Epiphany is the Jet!)

To set the mandatory proxy in Gnome, enter the following 5 commands one after the other, as root in a console (just copy them over one by one, and don't break the line before the end of each command!), then restart Gnome.

  1. gconftool-2 --shutdown
  2. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=bool --set /system/http_proxy/use_http_proxy true
  3. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set /system/http_proxy/host localhost
  4. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=int --set /system/http_proxy/port 8080
  5. gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set /system/proxy/mode manual

If you want to make sure that your Internet protection cannot be circumvented by using another browser you should delete Mozilla and/or Firefox/Seamonkey, or block the executable. Epiphany needs the Mozilla libraries to run, therefore one of these browsers is installed automatically alongside with Epiphany or Galeon (to be precise, from version 2.14 Epiphany can be compiled in four ways, depending on the settings made while configuring. If you go to the trouble of downloading and installing Epiphany the non-standard way, you can run ./configure with the option --with-gecko=xulrunner. Xulrunner seems to be the preferred variant for future installations since no additional browser is installed.)

If you like it simple, just install Epiphany or Galeon as described and then delete whichever browser is installed alongside with it, i.e. Mozilla, Firefox or Seamonkey (but don't uninstall them altogether, just block or delete the binary!). To block it, enter as root:

  1. chmod 444 /usr/bin/mozilla
  2. chmod 444 /usr/bin/firefox
  3. chmod 444 /usr/bin/seamonkey
(makes it non-executable for root and users)–or, to delete it (which is even safer!), enter:
  1. rm /usr/bin/mozilla
  2. rm /usr/bin/firefox
  3. rm /usr/bin/seamonkey

4. KDE

Even for the KDE desktop environment you need not necessarily go to the trouble of setting up iptables, although it is true that iptables rules are harder to break than other means of controlling Internet traffic. So just go to the KDE Control Centre, and there in the section "Proxy Server" tick the boxes "manual" and "permanent connection". Then click on "Setting" and for HTTP Proxy enter 127.0.0.1 and 8080.
Again, these settings are only recognised by the KDE in-built browser Konqueror. For any other browser the proxy must be set individually (i.e. in the browser itself or through IP-Tables, see below). For additional safety the proxy settings can be made unchangeable for users with the KDE Kiosktool (this should be part of your KDE distribution, if not download it from Kiosktool).

5. Other Linux Desktops

If you fancy super light-weight desktops like xfce4, icewm, rox, blackbox, sawfish, afterstep, fvwm, larswm, twm, dwm, the combination of DansGuardian-Tinyproxy-Epiphany/Galeon will be your friend just the same. The trick is that the Gnome GConf Editor works independently of a full Gnome installation. If you happen to have a Gentoo-Linux setup, the following root command will install all necessary programs and libraries for you:

  1. emerge gconf epiphany dansguardian tinyproxy

Following that the configuration process as described above must ensue, including the gconftool-2 commands (siehe under Gnome). The same is true here, of course: these settings only affect the Gnome browsers Epiphany and Galeon, any other browsers will escape filtering unless the proxy is set in the browser proper or via IP-Tables.

6. HTTP_PROXY Environment Variable

Another easy solution to redirect web traffic in your browser is setting the HTTP_PROXY variable before starting the browser. Unfortunately this variable is not respected by the majority of browsers. Following my own experience, it works only with Dillo, Opera und Amaya.

In order to make the variable effective, enter the following command before launching the browser:

  1. export HTTP_PROXY="127.0.0.1:8080"
In order to set the variable at system boot you can add the same line in your .bash_profile in your home directory. Command:
  1. echo "export HTTP_PROXY="127.0.0.1:8080" >> ~/.bash_profile

The drawback of this method is that the user can change the proxy settings in the browser's preferences menu (except for Dillo where this is possible only by changing the configuration file).

7. IP-Tables

This is the safest way to redirect Internet connections on any system other than Gnome, but it's the trickiest of all. To start with, the program iptables must be installed and supported by the Linux kernel, which seems to be the case in most modern distributions. The script here below should now work on any normal home PC (many thanks to Florian und Michael!). Try it in your root console. If you are successful, your whole Internet traffic will immediately go through port 8080 – and you won't have a running Internet connection left unless DansGuardian is running. In order for the redirection to be in effect right from system start, you should add the script to your /etc/conf.d/local.start or /etc/rc.d/rc.local file (similar names are possible, see your distribution specifics).

Some exotic browsers like hv3 use their own cache proxy, and these require a separate rule each (see at polipo in script, uncomment or adapt to your needs):

#!/bin/sh
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
#Flush all rules:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Let tinyproxy out (it is running as nobody)
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT
#for polipo:
#iptables -t nat -A OUTPUT -p tcp --dport 8123:8133 -m owner --uid-owner nobody -j ACCEPT
# Forward all web traffic to dansguardian/tinyproxy
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
#for polipo:
#iptables -t nat -A OUTPUT -p tcp --dport 8123:8133 -j REDIRECT --to-ports 8080

Hereafter you might want to add the lines

  1. tinyproxy
  2. dansguardian
in case you haven't succeeded with your Init Scripts (see above).

Making your own start script

If you couldn't find any local.start script in your Linux distribution the following trick will do:

1. Create a new file with any name, let's call it local.start for simplicity's sake, preferably in the /etc directory:

  1. touch /etc/local.start
Then, as root, edit the file in a text editor. The first line must be:
  1. #!/bin/sh
Below add any of the commands explained above, taking a new line for each one.

2. Make the file executable with the command:

  1. chmod 755 /etc/local.start

3. In the file /etc/inittab add the following line:

  1. lo:2345:once:/etc/local.start

Thus the programs will be executed automatically at boot time.

at 1:07 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
.: Portable Bisnis :.