How to install Dansguardian Web Content Filter in Fedora using Tinyproxy

Please also see my other tutorial on how to set up Internet content filtering using Squid rather than Tinyproxy. Squid seems to do a better job.

I'm excited to share a foolproof method of web content filtering that no one without root access, no matter how clever, can undo if set up properly on a Linux PC!

Inappropriate Internet content defined: Anything you would not want your child to view or read!

I found the original instructions on how to setup up Dansguardian on http://www.linux.com/articles/113733 that uses Squid version 2.5 and wrote up instructions based on it to make things even clearer for me, but because I couldn't install Squid version 2.5 in Fedora version 9, and because I can't figure out how to make Dansguardian work with the latest Squid version 3, I googled and learned how to make it work with Tinyproxy. Therefore this newest turtorial is based on Dansguardian using Tinyproxy rather than Squid.

Dansguardian is so effective it's even blocking me from viewing this very page because of the words "Internet pornography" and "softporn" on the page! I'll have to edit Dansguardian's exceptionsitelist file to include this page so I can view it.

All of the commands are done from Terminal.

1. In Terminal log into root with the su - command and type your root password. The space - after su is necessary to get root's path.
   su -
2. Download and install Tinyproxy for your architecture from http://rpm.pbone.net/index.php3/stat/3/srodzaj/1/search/config(tinyproxy) The default settings of Tinyproxy will work perfectly fine. No editing of /etc/tinyproxy/tinyproxy.conf is required.
3. Go to http://dag.wieers.com/rpm/packages/dansguardian/ and download the latest Dansguardian that matches your CPU architecture, either the .i386.rpm or the .x86_64.rpm.
4. In your favorite text editor, open /etc/dansguardian/dansguardian.conf
5. Search for the word filterip and edit that line adding 127.0.0.1 after filterip = so it looks like this:
   

   filterip = 127.0.0.1

6. Edit the line that says proxyport = 3128 and change the number from 3128 to 8888 so that it looks like this:
   

   proxyport = 8888

7. Save the file and exit the editor program.
8. Setup Iptables with the following commands:
   iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT
   iptables -t nat -A OUTPUT -p tcp --dport 8888 -m owner --uid-owner nobody -j ACCEPT
   iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
   iptables -t nat -A OUTPUT -p tcp --dport 8888 -j REDIRECT --to-ports 8080
   iptables-save > /etc/sysconfig/iptables
   service iptables restart
9. Or you can simply download a script I made to setup iptables for Dansguardian, make it executable, copy it to your /home/username/bin directory, and run it after logging into root from Terminal by entering:
   reset-iptables
10. Enter the following commands:
    
    chkconfig tinyproxy on
    chkconfig dansguardian on
    service tinyproxy start
    service dansguardian start
    You should not see any error messages after any of these commands. If you do, you may have missed something in the instructions before these commands.
11. Configure your browser's connection settings for a maual proxy configuration. The HTTP Proxy should be 127.0.0.1 and the Port number is 8080. If you don't, you won't be able to connect to the internet until you do assuming that you ran the Iptables commands correctly.
12. If you use Gnome, open up the Gnome Configuration Editor, click on System, click on Proxy, edit the socks_host key to have the value of 127.0.0.1 and edit the sock_port key to have a value of 8080. You need to do this in order for Yum, PackageManager, Gnome Weather and Google earth to be able to connect to the Internet after doing all of the above. I'm sure KDE has some similar system proxy configuration GUI.

If you did all the above correctly, you should now have internet content filtering that even your clever teenage boy won't be able to undo without knowing how to reset iptables. And even if he does know about Iptables, he won't be able to reset it without root access and knowing the root password.

Note that unless both Tinyproxy and Dansguardian are running after you make changes to Iptables and restart it, you won't be able to access any Internet content at all! After Internet traffic is set with Iptables to go through Squid and Dansguardian, both must be running properly or you won't have any Internet access whatsoever until you either fix the problem or reset Iptables as it was by default.

If you do a lot of searching on Google, Dansguardian may block an entire page of search results if even one of those results exceeds the naughtiness limit. To fix that, in root open up /etc/dansguardian/exceptionsitelist and add the line:

google.com

This will allow all search results to be viewed, but it will also allow all images to be shown in images.google.com. If you would like to prevent that, you can by editing /etc/dansguardian/bannedurllist and add the line:

images.google.com

Dansguardian would not permit me to download even compressed files after it was up and running. I had to edit the configuration files in /etc/dansguardian/ in order to permit Dansguardian to allow the download of certain files. Specifically I put hash (#) marks in front of certain lines in /etc/dansguardian/bannedextensionlist and /etc/dansguardian/bannedmimetypelist. Of course these files can only be edited with root access and so unless one knows the root password, I do not see how anyone can undermine Dansguardian's effectiveness.

To test my setup, I entered playboy.com in the location bar of Firefox. Click the image on the right to see an enlargement of the screenshot of the result!

After that I browsed to several web sites that I know to be perfectly safe. Dansguardian did not stop me nor even seemingly slow me down. The cool thing about using Dansguardian is that web content filtering is not dependant on the browser! In Windows you can set up content filtering in Internet Explorer, but any kid can get around it simply by installing and using Firefox or any other browser. I could not access playboy.com even by using Lynx which is a browser that can only display text!!! So that means that not only graphics, but even text of offensive pages are filtered! When browsing the Internet, what can be safer? Just think how great this can be for your family! If your family PC is set up with Dansguardian in this manner in Linux, you can know without a doubt your children will be safe from running into Internet pornography even accidentally and even without close supervision!

A very cool point about this setup is that it affects all user accounts in Linux, and even if that user happens to be logged in as Root! With Dansguardian running, even Root cannot access relatively mild so called "softporn" web sites like playboy.com either accidentally or intentionally! Of course browsing the Internet in Root is something no good administrator would EVER do!

Comments? Questions? Errors found? Email: