How to install Dansguardian Web Content Filter in Fedora

Updated June 19, 2011 on Fedora 15
Note: If you use Ubuntu, an excellent guide on how to install Dansguarian is on http://ubuntuforums.org/showthread.php?t=207008 I installed Ubuntu 8.04 on an older machine on Aug. 6, 2008, and followed the directions listed on the Ubuntu forum. Dansguardian works great!

I'm excited to share a foolproof method of web content filtering that no one without root access, no matter how clever, can undo if set up properly on a Linux PC!

Inappropriate Internet content defined: Anything you would not want your child to view or read!

I found the original instructions on how to setup up Dansguardian on http://www.linux.com/articles/113733 I wrote up this page because there were some things I felt that were not exactly correct on page I got many of these instructions from. I wanted to make things as simple and as clear as possible for not only myself, but for others.

Dansguardian needs a proxy server such as Squid or Tinyproxy to do the job. I used to use Tinyproxy but learned that Squid gives better performance. Squid has caching capabilities which means it uses less bandwidth.

Dansguardian is so effective it's even blocking me from viewing this very page because of the words "Internet pornography" and "softporn" on the page! I'll have to edit Dansguardian's exceptionsitelist file to include this page so I can view it.

All of the commands are done from Terminal.

  1. In Terminal log into root with the su - command and type your root password. The space - after su is necessary to get root's path.
    su
  2. In Terminal enter the following command to install Squid.
    yum install dansguardian squid -y
  3. In your favorite text editor (I use gedit) open up /etc/squid/squid.conf. Find the line that says
    http_port 3128
    and edit the line so that it looks like this:
    http_port 127.0.0.1:3128 transparent
  4. Add a line that says visible_hostname, a space and your hostname following. You can find it in the command prompt after the @ mark. Mine is phenom9350. Therefore the line I added is:
    visible_hostname phenom9350
  5. Below that line, add these three lines:
    cache_effective_user squid
    cache_effective_group squid
    shutdown_lifetime 2 seconds
    
  6. Save the file and exit the text editor.
  7. In your favorite text editor, open /etc/dansguardian/dansguardian.conf
  8. Search for the word filterip and edit that line adding 127.0.0.1 after filterip = so it looks like this:
    filterip = 127.0.0.1
  9. Search for the words daemonuser and daemongroup. Remove the hash marks before them, and change the word 'nobody' between the single quote marks to the word 'squid'. It should look like this:
    daemonuser = 'squid'
    daemongroup = 'squid'
  10. Save the file and exit the editor program.
  11. Setup Iptables with the following commands:
    iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
    iptables-save > /etc/sysconfig/iptables
    service iptables restart
  12. Change ownership of two directories with the following commands:
    chown -R squid /var/log/dansguardian
    chgrp -R squid /var/log/dansguardian
    chown -R squid /var/spool/squid
  13. Enter the following commands:
    chkconfig httpd on
    chkconfig squid on
    chkconfig dansguardian on
    service squid start
    service dansguardian start
  14. Google's image search is able to get around Dansguadian somewhat, and especially in the last few months after Google started using a different procedure to search images. There is only one sure way to stop it, and that is to block Google entirely! Updating squid.conf with the following lines was easier for me to do than to try to figure our how to do it with Dansguardian

    acl blockregexurl url_regex -i google
    http_access deny blockregexurl

If you get an error message that either Squid or Dansguardian could not start, the most likely reason is ownership was not set correctly.

Note that unless both Squid and Dansguardian are running after you make changes to Iptables and restart it, you won't be able to access any Internet content at all! After Internet traffic is set with Iptables to go through Squid and Dansguardian, both must be running properly or you won't have any Internet access whatsoever until you either fix the problem or reset Iptables as it was by default.

From the first time that I wrote up this tutorial till now, Squid has gone through changes in the configuration settings. This page has been updated regularly to keep up with the changes.

Dansguardian would not permit me to download even compressed files after it was up and running. I had to edit the configuration files in /etc/dansguardian/lists in order to permit Dansguardian to allow the download of certain files. These files can only be edited in root. Specifically I put hash (#) marks in front of certain lines in /etc/dansguardian/lists/bannedextensionlist and /etc/dansguardian/lists/bannedmimetypelist. Of course these files can only be edited with root access and so unless one knows the root password, I do not see how anyone can undermine Dansguardian's effectiveness.

There are other files in the /etc/dansguardian/lists directory that you might want to study and edit in order to either block or allow the internet content you choose. For me the most important files to edit besides the two files already mentioned above, they are,

You may want to edit some of the other files in /etc/dansguardian/lists/ as well.

Access Denied

To test my setup, I entered playboy.com in the location bar of Firefox. Click the image on the right to see an enlargement of the screenshot of the result!

After that I browsed to several web sites that I know to be perfectly safe. Dansguardian did not stop me nor even seemingly slow me down. The cool thing about using Dansguardian is that web content filtering is not dependant on the browser! In Windows you can set up content filtering in Internet Explorer, but any kid can get around it simply by installing and using Firefox or any other browser. I could not access playboy.com even by using Lynx which is a browser that can only display text!!! So that means that not only graphics, but even text of offensive pages are filtered! When browsing the Internet, what can be safer? Just think how great this can be for your family! If your family PC is set up with Dansguardian in this manner in Linux, you can know without a doubt your children will be safe from running into Internet pornography even accidentally and even without close supervision!

A very cool point about this setup is that it affects all user accounts in Linux, and even if that user happens to be logged in as Root! With Dansguardian running, even Root cannot access relatively mild so called "softporn" web sites like playboy.com either accidentally or intentionally! Of course browsing the Internet in Root is something no good administrator would EVER do!

Comments? Questions? Errors found? Email: Write me at:

Free free to copy any portion of this page providing you make a link back to it.
Valid HTML 4.01! handcode (2K) w3ccss (1K) Standard of excellence