Web filtering with Ubuntu, and Dans Guardian

OK, I have kiddies at home, kiddies that need not be exposed to some of the stuff on the net. Really it’s just too easy for them to wander off into the bushes and see stuff that a 7, 10 and 13 year old just doesn’t need to see.

Thus after much deliberation and investigation it was decided that Dansguardian was the way to go.

I initially installed the server version of feisty on an old laptop to give this a go.  It worked out OK, but the old laptop just didn’t have enough to keep things running smoothly for more than an hour. The lack of a GUI also made things a little more difficult when looking at the logs and stuff. (I was trapped in a 640×480 console environment and it just sucked).

So today I started over, again using the standard version of Ubuntu ‘Feisty edition’. If you’re using the server edition you can use this tutorial, which given it’s age has some pitfalls. Most notably you need to edit the firehol script to replace all instances of ‘%q’ with ‘%b’.

sudo gedit /lib/firehol/firehol (replace vi with you editor of choice) and replace all %q strings with %b.
This is documented in that thread somewhere toward page 7 I think.

After fumbling through that again, I figured there had to be a better way, and there is.

I opted for the Dansguardian/Web Content Filtering Only installer from the ‘Christian Edition’.

You still need to install ‘squid’ sudo apt-get squid

But after that it’s fairly painless. It also includes a pretty handy gui for tweaking the Dansguardian files.

The base network is set up like so:


Items of note:

  • Not all computers are filtered, but anyone can be by using the proxy manually by configuring the browser to do so.
  • Computers I WANT to be filtered are forced to do so by the following:
    • They have DHCP reservations for both their ethernet address and through the wireless to get an IP that I want them to have.
    • DHCP also give them bad DNS info.
    • They can access printers and what not on the local network.
    • Any traffic that tries to get outside from these addresses is dropped by an Access list in the router.
    • To surf, their browsers must be configured to use the proxy .99 on my network, else they go nowhere.
  • Yes, this isn’t perfect
    • The easy end around on this is to change your IP, and hard-code it to a valid IP.
    • But my kids can’t do that (yet) and they aren’t admins on the machines that are forced to the proxy anyway.
  • I’m sure there may be other ways around it that I haven’t thought of, but for now this is working well.