How to install Dansguardian Web Content Filter in Fedora

Updated Aug. 1, 2008
Note: If you use Ubuntu, an excellent guide on how to install Dansguarian is on http://ubuntuforums.org/showthread.php?t=207008 I installed Ubuntu 8.04 on an older machine on Aug. 6, 2008, and followed the directions listed on the Ubuntu forum. Dansguardian works great!

I'm excited to share a foolproof method of web content filtering that no one without root access, no matter how clever, can undo if set up properly on a Linux PC!

Inappropriate Internet content defined: Anything you would not want your child to view or read!

I found the orginal instructions on how to setup up Dansguardian on http://www.linux.com/articles/113733 I wrote up this page because there were some things I felt that were not exactly correct on page I got many of these instructions from. I wanted to make things as simple and as clear as possible for not only myself, but for others.

Dansguardian needs a proxy server such as Squid or Tinyproxy to do the job. I used to use Tinyproxy but learned that Squid gives better performance. Squid has caching capabilities which means it uses less bandwidth.

Dansguardian is so effective it's even blocking me from viewing this very page because of the words "Internet pornography" and "softporn" on the page! I'll have to edit Dansguardian's exceptionsitelist file to include this page so I can view it.

All of the commands are done from Terminal.

  1. In Terminal log into root with the su - command and type your root password. The space - after su is necessary to get root's path.
    su -
  2. In Terminal enter the following command to install Squid.
    yum install squid -y
  3. Find out your DNS nameserver by entering in Terminal the following command:
    cat /etc/resolv.conf
    In my case the screen output showed: 
    nameserver 192.168.1.1
    Another way you can find out your DNS nameserver is by entering from Terminal in Root:
    ip route
    and seeing the output on the second line.

    Remember the nameserver value because you need to add it to the squid.conf file.
  4. In your favorite text editor (I use gedit) open up /etc/squid/squid.conf. Find the line that says 
    http_port 3128
    and add 127.0.0.1: before 3128 and the word transparent after 3128 so that it looks like this: 
    http_port 127.0.0.1:3128 transparent
  5. Find the line 
    #cache_effective_user squid
    Remove the hash mark in front of it, and under that line, add: 
    cache_effective_group squid
    The two lines should therefore look like this: 
    cache_effective_user squid
cache_effective_group squid
  6. At the end of the file, type
    dns_nameservers
    followed by a space and enter the value of the namerserver of your machine. In my case the last line looks like this: 
    dns_nameservers 192.168.1.1
  7. Save the file and exit the text editor.
  8. Go to http://dag.wieers.com/rpm/packages/dansguardian/ and download the latest Dansguardian that matches your CPU architecture, either the .i386.rpm or the .x86_64.rpm.
  9. In your favorite text editor, open /etc/dansguardian/dansguardian.conf
  10. Search for the word filterip and edit that line adding 127.0.0.1 after filterip = so it looks like this:
    filterip = 127.0.0.1
  11. Search for the words daemonuser and daemongroup. Remove the hash marks before them, and change the word 'nobody' between the single quote marks to the word 'squid'. It should look like this:
    daemonuser = 'squid'
daemongroup = 'squid'
  12. Save the file and exit the editor program.
  13. Setup Iptables with the following commands:
    iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
    iptables-save > /etc/sysconfig/iptables
    service iptables restart
  14. Change ownership of two directories with the following commands:
    chown -R squid /var/log/dansguardian
    chgrp -R squid /var/log/dansguardian
    chown -R squid /var/spool/squid
  15. Enter the following commands:
    chkconfig httpd on
    chkconfig squid on
    chkconfig dansguardian on
    service squid start
    service dansguardian start
  16. If you use Gnome, enter in Terminal:
    gnome-network-preferences
    In the Network Proxy Preferences click on Manual proxy configration to put a dot in the circle. Enter the value of 127.0.0.1 in the HTTP proxy section. The Port should already have the value of 8080. You need to do this in order for your browser, Yum, PackageManager, Gnome Weather, Google earth and any other application that uses the HTTP port to be able to connect to the Internet after doing all of the above. I'm sure KDE has some similar system proxy configuration GUI.

If you get an error message that either Squid or Dansguardian could not start, the most likely reason is ownership was not set correctly as mentioned in point 6. I had to manually change ownership to Squid for it to work. The ownership was previously a number: 501. I have no idea why. :-(

Note that unless both Squid and Dansguardian are running after you make changes to Iptables and restart it, you won't be able to access any Internet content at all! After Internet traffic is set with Iptables to go through Squid and Dansguardian, both must be running properly or you won't have any Internet access whatsoever until you either fix the problem or reset Iptables as it was by default.

Dansguardian would not permit me to download even compressed files after it was up and running. I had to edit the configuration files in /etc/dansguardian/ in order to permit Dansguardian to allow the download of certain files. Specifically I put hash (#) marks in front of certain lines in /etc/dansguardian/bannedextensionlist and /etc/dansguardian/bannedmimetypelist. Of course these files can only be edited with root access and so unless one knows the root password, I do not see how anyone can undermine Dansguardian's effectiveness.

Access Denied

To test my setup, I entered playboy.com in the location bar of Firefox. Click the image on the right to see an enlargement of the screenshot of the result!

After that I browsed to several web sites that I know to be perfectly safe. Dansguardian did not stop me nor even seemingly slow me down. The cool thing about using Dansguardian is that web content filtering is not dependant on the browser! In Windows you can set up content filtering in Internet Explorer, but any kid can get around it simply by installing and using Firefox or any other browser. I could not access playboy.com even by using Lynx which is a browser that can only display text!!! So that means that not only graphics, but even text of offensive pages are filtered! When browsing the Internet, what can be safer? Just think how great this can be for your family! If your family PC is set up with Dansguardian in this manner in Linux, you can know without a doubt your children will be safe from running into Internet pornography even accidentally and even without close supervision!

A very cool point about this setup is that it affects all user accounts in Linux, and even if that user happens to be logged in as Root! With Dansguardian running, even Root cannot access relatively mild so called "softporn" web sites like playboy.com either accidentally or intentionally! Of course browsing the Internet in Root is something no good administrator would EVER do!

Comments? Questions? Errors found? Email: Write me at:

Free free to copy any portion of this page providing you make a link back to it.
Valid HTML 4.01! handcode (2K) w3ccss (1K) Standard of excellence