DansGuardian with Polipo
without IP-Tables for Gnome and KDE
DansGuardian is a freely available, reliable word-based
content filter offering protection from Internet filth like pornography,
violence and racism. Read more at www.dansguardian.org.
This Guide is based on my own experience on a single-user personal
computer with Gentoo-Linux and the Gnome and XFCE4 graphical desktops installed.
If you are already a Gnome user, installation is really simple, you only need to pay attention to points 1-3 here below.
Recommended Software:
Newer versions of DansGuardian seem to cause problems with
Tinyproxy. Often only a blank page appears, or there is an obscure
"page encoding error" of some kind. Has anyone found out the reason?
From now I recommend polipo
for proxy which works like tinyproxy, but more reliably so, plus it's a
caching proxy. The only thing you must change is the proxy port entry
in the file /etc/dansguardian/dansguardian.conf (see further below).
The IP-Table rules have also been uptdated (see point 8).
The popular Linux distribution Ubuntu has lately made a new appearance under the name of Ubuntu Christian Edition.
This version deserves respect, since it offers everything the average
computer user would wish for, including a fully functional DansGuardian
and pre-installed IP-Tables, Firefox as the standard browser plus a
comfortable tool named Parental Control for personal settings!
Download: Ubuntu CE
Hence, the following instructions are now just for people who don't like Ubuntu. :-)
filter for Internet traffic. It works very fast, filtering according to
the following criteria:
The content filter is very impressive even in its present settings.
By default, it filters pornographical material and racist and otherwise
vile language for many languages. The word filter is very intelligent.
For instance, it doesn't just block the word "sex" categorically (which
of course is not always used in a pornographical context and in
languages like English can just mean "gender"), but reacts to clusters
of similar (offensive) words and word combinations. The extent of
allowed "clusters" can be set to taste, while the default setting
seems quite reasonable as it is. The afore-mentioned lists are
accessible to the system administrator (root) and are freely adaptable
to the needs. There are additional Blacklists (blocked sites)
available, but the filter is quite adequate even without them.
DansGuardian is included in many popular Linux distributions; to install, just enter in root console:
If that is not the case for your distribution, you may download the
program free of charge from DansGuardian Download as long as it is for non-commercial use. The filter works immediately after installation
with the default settings, changes may be necessary for the file /etc/dansguardian/dansguardian.conf, the following 3 settings being essential:
Some distributions (notably Debian) add the following lines at the top of dansguardian.conf:
So just delete this line or comment it by adding a # in front of UNCONFIGURED!
A proxy is a program that comes between your computer and the
Internet, regulating the data flow. Polipo is an exceptionally slim
and fast proxy, and very easy to configure. It works as a transparent
proxy, which means that it is invisible to other software using it. I
have tried Squid and Oops before (both are reported to work with
DansGuardian), but Polipo ist clearly your favourite if you're like myself and want to get started without much hassle.
As
I said, any Internet request ist filtered by DansGuardian before it
reaches the browser. The proxy then acts as a go-between connecting
DansGuardian to the Internet. Tiny Polipo ist
included in some Linux distributions like Gentoo, which is commendable.
To install, enter in root console:
If you don't want Polipo to cache Web sites on your harddisk just leave the following entry in /etc/polipo/config blank:
Ideally, DansGuardian and Polipo should be loaded through
their corresponding Init Scrips at boot time (your system creates
so-called Init Scripts if the programs are part of your distribution,
but not if you have to download them manually). It is important that
the
proxy is launched first, otherwise DansGuardian will exit. The above
install commands for Gentoo and Debian/Ubuntu instruct the system to
start these programs in the correct order. For other systems you must
instruct the management to start Polipo in runlevel "boot" and
dansguardian in runlevel "default". In case this doesn't work for you
see option below with "local.start" under point 5.
Gnome – the swift alternative to the wide-spread KDE graphical
desktop environment! For Gnome users and anyone who wishes to become
one, automatic redirection of Internet traffic to the port DansGuardian
uses is quite easiy. It is possible to force all HTTP
traffic through another port with just a few Gnome commands. (These
settings can also be made in Gnome's so-called gconf-editor, a
graphical program to the same effect, but it should be used with extreme caution since
these settings are quite crucial and delicate).
As far as I know, this kind of redirection only works for
Gnome's in-built browsers Epiphany or Galeon.
For any other browser the proxy has to be set in the browser (mostly in
settings>proxy: 127.0.0.1:8080) – or else by using IP-Tables
(see below), which
is safer because it cannot easily be overridden. (By the way, if you
haven't heard of it, Epiphany is a great, easy-to-use browser with only few settings to worry about. If Firefox is a Jumbo, Epiphany is the Jet!)
To set the mandatory proxy in Gnome, enter the following 5
commands one after the other, as root in a console (just copy them over one
by one, and don't break the line before the end of each command!), then restart Gnome.
If you want to make sure that your Internet protection cannot be
circumvented by using another browser you should delete Mozilla and/or
Firefox/Seamonkey, or block the executable. Epiphany needs the Mozilla
libraries to run, therefore one of these browsers is installed
automatically alongside with Epiphany or Galeon (to be precise, from
version 2.14 Epiphany can be compiled in four ways, depending on the
settings made while configuring. If you go to the trouble of
downloading and installing Epiphany the non-standard way, you can run ./configure with the option --with-gecko=xulrunner. Xulrunner seems to be the preferred variant for future installations since no additional browser is installed.)
If you like it simple, just install Epiphany or Galeon as
described and then delete whichever browser is installed alongside with
it, i.e. Mozilla, Firefox or Seamonkey (but don't uninstall them
altogether, just block or delete the binary!). To block it, enter as
root:
(makes it non-executable for root and users)–or, to delete it (which is even safer!), enter:
If you prefer to filter Firefox and Seamonkey too, see point 6.
Even for the KDE desktop environment you need not necessarily go to
the trouble of setting up iptables, although it is true that iptables
rules are harder to break than other means of controlling Internet
traffic. So just go to
the KDE Control Centre, and there in the section "Proxy Server" tick
the boxes "manual" and "permanent connection". Then click on "Setting"
and for HTTP Proxy enter 127.0.0.1 and 8080.
Again, these settings are only recognised by the KDE in-built browser
Konqueror. For any other browser the proxy must be set individually
(i.e. in the browser itself or through IP-Tables, see below). For
additional safety the proxy settings can be made unchangeable for users
with the KDE Kiosktool (this should be part of your KDE distribution, if not download it from Kiosktool).
If you fancy super light-weight desktops like xfce4, icewm, rox, blackbox, sawfish, afterstep, fvwm, larswm, twm, dwm,
the combination of DansGuardian-Polipo-Epiphany/Galeon will be your
friend just the same. The trick is that the Gnome GConf Editor works
independently of a full Gnome installation. If you happen to have a
Gentoo-Linux setup, the following root command will install all
necessary programs and libraries for you:
Following that the configuration process as described above must
ensue, including the gconftool-2 commands (siehe under Gnome). The same
is true here, of course: these settings only affect the Gnome browsers
Epiphany and Galeon, any other browsers will escape filtering unless
the proxy is set in the browser proper or via IP-Tables.
for the user without implementing IP Tables, the following steps are
necessary:
1. Open the Mozilla system file all.js as root in a text editor. It resides in /usr/lib/firefox/grepprefs or /usr/lib/seamonkey/grepprefs. Add the following line:
pref("general.config.filename", "mozilla.cfg");
2. In a text editor create a file named mozilla.txt with the following content:
lockPref("app.update.enabled", false);
lockPref("network.proxy.http", "127.0.0.1");
lockPref("network.proxy.http_port", 8080);
lockPref("network.proxy.type", 1);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");
lockPref("network.proxy.share_proxy_settings", false);
and save it wherever you like.
3. Visit the Internet site Automatic Mozilla Configurator
and have the newly created file uploaded where it says "Upload
mozilla.txt to get mozilla.cfg". An encrypted file by the name of mozilla.cfg is then created for you. Copy it as root to the browser's root directory, i.e. /usr/lib/seamonkey or /usr/lib/firefox.
From now the user cannot change these settings.
Watch out! Whenever the browser is reinstalled or updated, the file all.js is overwritten!!! So make a copy of it and be ready to copy it to the right location afterward.
Another easy solution to redirect web traffic in your browser is
setting the HTTP_PROXY variable before starting the browser.
Unfortunately this variable is not respected by the majority of
browsers. Following my own experience, it works only with Dillo, Opera und Amaya.
In order to make the variable effective, enter the following command before launching the browser:
In order to set the variable at system boot you can add the same line in your .bash_profile in your home directory. Command:
The drawback of this method is that the user can change the proxy
settings in the browser's preferences menu (except for Dillo where this
is possible only by changing the configuration file).
This is the safest way to redirect Internet connections on any
system other than Gnome, but it's the trickiest of all. To start with, the program iptables
must be installed and supported by the
Linux kernel, which seems to be the case in most modern distributions.
The script here below should now work on any normal home PC (many
thanks to Florian und Michael!). Try it in your root console. If you
are successful, your whole Internet traffic will immediately go
through port 8080 – and you won't have a running Internet
connection
left unless DansGuardian is running. In order for the redirection to be
in effect right from system start, you should add the script to your /etc/conf.d/local.start or /etc/rc.d/rc.local file (similar names are possible, see your distribution specifics).
Some exotic browsers like hv3 use their own cache proxy, and these require a separate rule each (see at polipo in script, uncomment or adapt to your needs):
#!/bin/sh
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
#Flush all rules:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Let Polipo out
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner polipo -j ACCEPT
# Forward all web traffic to dansguardian
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
Careful: Debian/Ubuntu seem to run Polipo as root, in that case change the above entry for "--uid-owner root".
Hereafter you might want to add the lines
in case you haven't succeeded with your Init Scripts (see above).
If you couldn't find any local.start script in your Linux distribution the following trick will do:
1. Create a new file with any name, let's call it local.start for simplicity's sake, preferably in the /etc directory:
Then, as root, edit the file in a text editor. The first line must be:
Below add any of the commands explained above, taking a new line for each one.
2. Make the file executable with the command:
3. In the file /etc/inittab add the following line:
Thus the programs will be executed automatically at boot time.
Good luck!
P. Vollmar
without IP-Tables for Gnome and KDE
Updated: 21 May 10 - Polipo instead of Tinyproxy!
Installation Guide for Linux Internet Filter
DansGuardian is a freely available, reliable word-based
content filter offering protection from Internet filth like pornography,
violence and racism. Read more at www.dansguardian.org.
This Guide is based on my own experience on a single-user personal
computer with Gentoo-Linux and the Gnome and XFCE4 graphical desktops installed.
If you are already a Gnome user, installation is really simple, you only need to pay attention to points 1-3 here below.
Recommended Software:
- DansGuardian
- Polipo
New (May 10): Polipo instead of Tinyproxy
Newer versions of DansGuardian seem to cause problems with
Tinyproxy. Often only a blank page appears, or there is an obscure
"page encoding error" of some kind. Has anyone found out the reason?
From now I recommend polipo
for proxy which works like tinyproxy, but more reliably so, plus it's a
caching proxy. The only thing you must change is the proxy port entry
in the file /etc/dansguardian/dansguardian.conf (see further below).
The IP-Table rules have also been uptdated (see point 8).
Brand new (Jan 09): Ubuntu CE does it all for you!
The popular Linux distribution Ubuntu has lately made a new appearance under the name of Ubuntu Christian Edition.
This version deserves respect, since it offers everything the average
computer user would wish for, including a fully functional DansGuardian
and pre-installed IP-Tables, Firefox as the standard browser plus a
comfortable tool named Parental Control for personal settings!
Download: Ubuntu CE
Hence, the following instructions are now just for people who don't like Ubuntu. :-)
1. DansGuardian
What is DansGuardian? It is a free for non-commercial use, freely configurable, highly efficient contentfilter for Internet traffic. It works very fast, filtering according to
the following criteria:
- PICS/ICRA Standard (voluntary categorising system for offensive (or
other) Internet sites, placed in the "header" section of
the HTML code). Because it has not gained wide acceptance yet, it
cannot serve as a reliable filter on its own, yet in combination with
other
filtering systems it has proven very useful, e.g. for filtering sites
that
include offensive pictures without text. Many "adult" and other sites
do submit to the Icra classification system (including the one you are
visiting at the moment!). - MIME and data types (filters endings like *.exe etc.),
freely adaptable, the default setting being very conservative since
almost no files are allowed for download - Words / word parts in any language (German, English among others already included in default)
- "weighted phrase lists", i.e. certain word combinations are
filtered if they exceed a given allowed percentage (may be set from
liberal to very restrictive) - blocked URLs (have to be added by hand, there are however additional "Blacklists" available on the Internet for anyone to use)
The content filter is very impressive even in its present settings.
By default, it filters pornographical material and racist and otherwise
vile language for many languages. The word filter is very intelligent.
For instance, it doesn't just block the word "sex" categorically (which
of course is not always used in a pornographical context and in
languages like English can just mean "gender"), but reacts to clusters
of similar (offensive) words and word combinations. The extent of
allowed "clusters" can be set to taste, while the default setting
seems quite reasonable as it is. The afore-mentioned lists are
accessible to the system administrator (root) and are freely adaptable
to the needs. There are additional Blacklists (blocked sites)
available, but the filter is quite adequate even without them.
DansGuardian is included in many popular Linux distributions; to install, just enter in root console:
- Gentoo: emerge dansguardian && rc-update add dansguardian default
- Debian/Ubunbu: apt-get install dansguardian
If that is not the case for your distribution, you may download the
program free of charge from DansGuardian Download as long as it is for non-commercial use. The filter works immediately after installation
with the default settings, changes may be necessary for the file /etc/dansguardian/dansguardian.conf, the following 3 settings being essential:
- filterport = 8080
- proxyip = 127.0.0.1
- proxyport = 8123
Some distributions (notably Debian) add the following lines at the top of dansguardian.conf:
- # Comment this line out once you have modified this file to suit your needs:
- UNCONFIGURED
So just delete this line or comment it by adding a # in front of UNCONFIGURED!
2. Polipo Proxy
A proxy is a program that comes between your computer and the
Internet, regulating the data flow. Polipo is an exceptionally slim
and fast proxy, and very easy to configure. It works as a transparent
proxy, which means that it is invisible to other software using it. I
have tried Squid and Oops before (both are reported to work with
DansGuardian), but Polipo ist clearly your favourite if you're like myself and want to get started without much hassle.
As
I said, any Internet request ist filtered by DansGuardian before it
reaches the browser. The proxy then acts as a go-between connecting
DansGuardian to the Internet. Tiny Polipo ist
included in some Linux distributions like Gentoo, which is commendable.
To install, enter in root console:
- Gentoo: emerge polipo && rc-update add polipo boot
- Debian/Ubuntu: apt-get install polipo
If you don't want Polipo to cache Web sites on your harddisk just leave the following entry in /etc/polipo/config blank:
- diskCacheRoot=
Ideally, DansGuardian and Polipo should be loaded through
their corresponding Init Scrips at boot time (your system creates
so-called Init Scripts if the programs are part of your distribution,
but not if you have to download them manually). It is important that
the
proxy is launched first, otherwise DansGuardian will exit. The above
install commands for Gentoo and Debian/Ubuntu instruct the system to
start these programs in the correct order. For other systems you must
instruct the management to start Polipo in runlevel "boot" and
dansguardian in runlevel "default". In case this doesn't work for you
see option below with "local.start" under point 5.
3. Gnome
Gnome – the swift alternative to the wide-spread KDE graphical
desktop environment! For Gnome users and anyone who wishes to become
one, automatic redirection of Internet traffic to the port DansGuardian
uses is quite easiy. It is possible to force all HTTP
traffic through another port with just a few Gnome commands. (These
settings can also be made in Gnome's so-called gconf-editor, a
graphical program to the same effect, but it should be used with extreme caution since
these settings are quite crucial and delicate).
As far as I know, this kind of redirection only works for
Gnome's in-built browsers Epiphany or Galeon.
For any other browser the proxy has to be set in the browser (mostly in
settings>proxy: 127.0.0.1:8080) – or else by using IP-Tables
(see below), which
is safer because it cannot easily be overridden. (By the way, if you
haven't heard of it, Epiphany is a great, easy-to-use browser with only few settings to worry about. If Firefox is a Jumbo, Epiphany is the Jet!)
To set the mandatory proxy in Gnome, enter the following 5
commands one after the other, as root in a console (just copy them over one
by one, and don't break the line before the end of each command!), then restart Gnome.
- gconftool-2 --shutdown
- gconftool-2 --direct --config-source
xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=bool --set
/system/http_proxy/use_http_proxy true - gconftool-2 --direct --config-source
xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set
/system/http_proxy/host localhost - gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=int --set /system/http_proxy/port 8080
- gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type=string --set /system/proxy/mode manual
If you want to make sure that your Internet protection cannot be
circumvented by using another browser you should delete Mozilla and/or
Firefox/Seamonkey, or block the executable. Epiphany needs the Mozilla
libraries to run, therefore one of these browsers is installed
automatically alongside with Epiphany or Galeon (to be precise, from
version 2.14 Epiphany can be compiled in four ways, depending on the
settings made while configuring. If you go to the trouble of
downloading and installing Epiphany the non-standard way, you can run ./configure with the option --with-gecko=xulrunner. Xulrunner seems to be the preferred variant for future installations since no additional browser is installed.)
If you like it simple, just install Epiphany or Galeon as
described and then delete whichever browser is installed alongside with
it, i.e. Mozilla, Firefox or Seamonkey (but don't uninstall them
altogether, just block or delete the binary!). To block it, enter as
root:
- chmod 444 /usr/bin/firefox
- chmod 444 /usr/bin/seamonkey
(makes it non-executable for root and users)–or, to delete it (which is even safer!), enter:
- rm /usr/bin/firefox
- rm /usr/bin/seamonkey
If you prefer to filter Firefox and Seamonkey too, see point 6.
4. KDE
Even for the KDE desktop environment you need not necessarily go to
the trouble of setting up iptables, although it is true that iptables
rules are harder to break than other means of controlling Internet
traffic. So just go to
the KDE Control Centre, and there in the section "Proxy Server" tick
the boxes "manual" and "permanent connection". Then click on "Setting"
and for HTTP Proxy enter 127.0.0.1 and 8080.
Again, these settings are only recognised by the KDE in-built browser
Konqueror. For any other browser the proxy must be set individually
(i.e. in the browser itself or through IP-Tables, see below). For
additional safety the proxy settings can be made unchangeable for users
with the KDE Kiosktool (this should be part of your KDE distribution, if not download it from Kiosktool).
5. Other Linux Desktops
If you fancy super light-weight desktops like xfce4, icewm, rox, blackbox, sawfish, afterstep, fvwm, larswm, twm, dwm,
the combination of DansGuardian-Polipo-Epiphany/Galeon will be your
friend just the same. The trick is that the Gnome GConf Editor works
independently of a full Gnome installation. If you happen to have a
Gentoo-Linux setup, the following root command will install all
necessary programs and libraries for you:
- emerge gconf epiphany dansguardian polipo
Following that the configuration process as described above must
ensue, including the gconftool-2 commands (siehe under Gnome). The same
is true here, of course: these settings only affect the Gnome browsers
Epiphany and Galeon, any other browsers will escape filtering unless
the proxy is set in the browser proper or via IP-Tables.
6. Lock proxy settings in Firefox und Seamonkey
In order to lock the corresponding settings in Mozilla browsersfor the user without implementing IP Tables, the following steps are
necessary:
1. Open the Mozilla system file all.js as root in a text editor. It resides in /usr/lib/firefox/grepprefs or /usr/lib/seamonkey/grepprefs. Add the following line:
pref("general.config.filename", "mozilla.cfg");
2. In a text editor create a file named mozilla.txt with the following content:
lockPref("app.update.enabled", false);
lockPref("network.proxy.http", "127.0.0.1");
lockPref("network.proxy.http_port", 8080);
lockPref("network.proxy.type", 1);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");
lockPref("network.proxy.share_proxy_settings", false);
and save it wherever you like.
3. Visit the Internet site Automatic Mozilla Configurator
and have the newly created file uploaded where it says "Upload
mozilla.txt to get mozilla.cfg". An encrypted file by the name of mozilla.cfg is then created for you. Copy it as root to the browser's root directory, i.e. /usr/lib/seamonkey or /usr/lib/firefox.
From now the user cannot change these settings.
Watch out! Whenever the browser is reinstalled or updated, the file all.js is overwritten!!! So make a copy of it and be ready to copy it to the right location afterward.
7. HTTP_PROXY Environment Variable
Another easy solution to redirect web traffic in your browser is
setting the HTTP_PROXY variable before starting the browser.
Unfortunately this variable is not respected by the majority of
browsers. Following my own experience, it works only with Dillo, Opera und Amaya.
In order to make the variable effective, enter the following command before launching the browser:
- export HTTP_PROXY="127.0.0.1:8080"
In order to set the variable at system boot you can add the same line in your .bash_profile in your home directory. Command:
- echo "export HTTP_PROXY="127.0.0.1:8080" >> ~/.bash_profile
The drawback of this method is that the user can change the proxy
settings in the browser's preferences menu (except for Dillo where this
is possible only by changing the configuration file).
8. IP-Tables
This is the safest way to redirect Internet connections on any
system other than Gnome, but it's the trickiest of all. To start with, the program iptables
must be installed and supported by the
Linux kernel, which seems to be the case in most modern distributions.
The script here below should now work on any normal home PC (many
thanks to Florian und Michael!). Try it in your root console. If you
are successful, your whole Internet traffic will immediately go
through port 8080 – and you won't have a running Internet
connection
left unless DansGuardian is running. In order for the redirection to be
in effect right from system start, you should add the script to your /etc/conf.d/local.start or /etc/rc.d/rc.local file (similar names are possible, see your distribution specifics).
Some exotic browsers like hv3 use their own cache proxy, and these require a separate rule each (see at polipo in script, uncomment or adapt to your needs):
#!/bin/sh
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
#Flush all rules:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Let Polipo out
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner polipo -j ACCEPT
# Forward all web traffic to dansguardian
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
Careful: Debian/Ubuntu seem to run Polipo as root, in that case change the above entry for "--uid-owner root".
Hereafter you might want to add the lines
- polipo
- dansguardian
in case you haven't succeeded with your Init Scripts (see above).
Making your own start script
If you couldn't find any local.start script in your Linux distribution the following trick will do:
1. Create a new file with any name, let's call it local.start for simplicity's sake, preferably in the /etc directory:
- touch /etc/local.start
Then, as root, edit the file in a text editor. The first line must be:
- #!/bin/sh
Below add any of the commands explained above, taking a new line for each one.
2. Make the file executable with the command:
- chmod 755 /etc/local.start
3. In the file /etc/inittab add the following line:
- lo:2345:once:/etc/local.start
Thus the programs will be executed automatically at boot time.
Good luck!
P. Vollmar
0 comments:
Post a Comment