Ubuntu 12.04 Precise Pangolin and DansGuardian for
Filtering and Public Wireless Access
Originally published on 2 November 2012. Last modified on 2 June 2015.
This guide is a quick step-by-step guide to how I implement DansGuardian on Ubuntu systems. This one is all command-line with no hand-holding. For something easier, though out of date, try some of my earlier tutorials.
Introduction
Below are my local install notes for putting together a DansGuardian filtering system on Ubuntu 12.04 Precise Pangolin, including multiple filtering profiles and statistics. You’ll need to be pretty comfortable with Linux and the command line to replicate this. But it’s really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 2 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.
Install Ubuntu
- Start installing the server edition of Ubuntu Precise Pangolin.
- Partition the hard drive as you see fit.
- Choose LAMP and OpenSSH servers to install.
- Reboot, login, and apply all updates, and reboot again.
- At this point you should log in via SSH from another computer with a GUI so you can copy and paste commands. Things will go much quicker this way.
Tweak a Few Things
- Enable the root user, and disable sudo:
$ sudo passwd root $ su # mv /etc/securetty /etc/securetty.bak; \ touch /etc/securetty; \ mv /etc/sudoers /etc/sudoers.bak
- Install NTP:
# apt-get install ntp
- Edit
/etc/ntp.conf
to addus.pool.ntp.org
to the top of the list of servers already in there. - Edit
/etc/ssh/sshd_config
. SetPermitRootLogin
tono
, setX11Forwarding
tono
, and uncomment the line#Banner /etc/issue.net
. - Edit
/etc/issue.net
to give whatever notice your lawyers say is appropriate to people trying to log into your server:
******************************************************************************* NOTICE TO USERS This computer system is the property of the Branch District Library. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized officials of law enforcement and government agencies. By using this system, the user consents to such interception, monitoring, recording, auditing, inspection, and disclosure at the discretion of the Branch District Library or other authorized officials of law enforcement or government agencies. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this notice. *******************************************************************************
- Edit
/etc/network/interfaces
. Leave the entry for eth0, add the following for eth1. If your eth0 subnet is 192.168.1.X, you’ll need to change IP addresses in this tutorial accordingly to suit your situation
auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway YOUR-GATEWAY-FOR-ETH0 dns-nameservers YOUR-DNS-SERVER-1 YOUR-DNS-SERVER-1
- Restart networking:
# /etc/init.d/networking restart
DHCP Server
- Install the DHCP server and back up the original config file:
# apt-get install dhcp3-server; \ mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
- Edit
/etc/dhcp/dhcpd.conf
as needed, adding static address assignments for your library-provided public computers. If you don’t want to count your library computers in the statistics (we’ll cover that later), make sure all library public computers are defined in this file. The file should look something like this:
authoritative; default-lease-time 3600; max-lease-time 3600; ddns-update-style none; log-facility local7; option routers 192.168.1.1; option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2; subnet [Subnet of eth0, just ending in .0] netmask 255.255.255.0 { } subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.254; # desired public service IP address range host HOSTNAME-HERE # host names for static IP assignment { hardware ethernet MAC-ADDRESS-USING-COLONS; fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE; } }
- Restart DHCP server:
# /etc/init.d/isc-dhcp-server restart
Shorewall
- Install shorewall and copy configuration files:
# apt-get install shorewall; \ cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
- Edit
/etc/shorewall/shorewall.conf
. Find the line that readsIP_FORWARDING=Keep
and change that toIP_FORWARDING=On
. - Edit
/etc/shorewall/interfaces
:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect dhcp
- Edit
/etc/shorewall/masq
:
eth0 192.168.1.0/24 eth0 YOUR-SUBNET-FOR-ETH0/24
- Edit
/etc/shorewall/policy
:
loc all REJECT fw all REJECT net all DROP all all REJECT
- Edit
/etc/shorewall/rules
. At minimum, have the following rules. More likely, use the huge ruleset we normally use.
# Accept SSH connections for administration, outgoing ssh from fw ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 ACCEPT fw net tcp 22 # Accept HTTP for the wifi stats ACCEPT loc fw tcp 80 ACCEPT net fw tcp 80 # allow web traffic out of the firewall ACCEPT fw net tcp 80,8000,8001,8080 # All pinging the web filter ACCEPT loc net icmp # Allow DNS requests ACCEPT loc net tcp 53 ACCEPT loc net udp 53 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Allow POP3 email ACCEPT loc net tcp 110 # Allow NTP ACCEPT loc net udp 123 # Allow IMAP email ACCEPT loc net tcp 143 # Allow secure web sites ACCEPT loc net tcp 443 # Secure SMTP ACCEPT loc net tcp 465 # Allow DHCP requests ACCEPT loc fw tcp 546,547 ACCEPT loc fw udp 67,68 ACCEPT fw net tcp 546,547 ACCEPT fw net udp 67,68 # smtp submission ACCEPT loc net tcp 587 # Allow Secure IMAP email ACCEPT loc net tcp 993 # Allow Secure POP3 email ACCEPT loc net tcp 995 # Allow both sides of the firewall to access the filter # (as in your staff side can use the filter, too) ACCEPT net fw tcp 8080 # Route all HTTP traffic from library kids computers to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.11-192.168.1.20 8081 tcp 80,8000,8001,8080 - # Route all HTTP traffic from library adult computers to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.21-192.168.1.30 8082 tcp 80,8000,8001,8080 - # Route all HTTP traffic from patron devices to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.100-192.168.1.255 8083 tcp 80,8000,8001,8080 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- Edit
/etc/shorewall/zones
:
fw firewall net ipv4 loc ipv4
- Edit
/etc/default/shorewall
. Changestartup=0
tostartup=1
. Restart shorewall:
# shorewall restart
Squid
- Install Squid:
# apt-get install squid
- Edit
/etc/squid3/squid.conf
: search forhttp_port 3128
and change it tohttp_port 127.0.0.1:3128 transparent
. Search for# access_log /var/log/squid3/access.log squid
. Add a line below that readingaccess_log none
. Search forcache_store_log
. There will be a commented out code block for this tag withDefault: none
at the bottom. Add a new line below this readingcache_store_log none
. Finally, add lines like the below to the end of the file to throttle HTTP traffic as needed (adjust the numbers in bytes to match your bandwidth and throttling needs):
########Squid Delay Pools######### # a simple global throttle, users sharing 5 Mbit/s delay_pools 1 delay_class 1 1 # 5 Mbit/s fill rate, 6 Mbit/s reserve, units in bytes delay_parameters 1 655360/786432 acl All src 0/0 delay_access 1 allow All
- Restart Squid:
# /etc/init.d/squid3 restart
DansGuardian
- Install DansGuardian:
# apt-get install dansguardian
- We’re going to have 3 instances of Dansguardian running: One for filtering kids’ computers in the library, running on port 8081; one for adult computers in the library, running on port 8082; and one for our free pubic wireless network for patrons’ own devices, running on port 8083. We’ll be using just one set of configuration files to control most of all 3 Dansguardian instances, editing only the three sets of dansguardian.conf and dansguardianf1.conf files to fine-tune our three instances. Below are all the commands to symlink the binaries, make additional directories for configuration and log files, and copy and symlink to the orginal configuration files. For your copy & paste pleasure, these commands are below as one multi-line command line that you can copy all at once:
# ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian1; \ ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian2; \ ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian3; \ mkdir /etc/dansguardian1; \ mkdir /etc/dansguardian2; \ mkdir /etc/dansguardian3; \ mkdir /var/log/dansguardian1; \ mkdir /var/log/dansguardian2; \ mkdir /var/log/dansguardian3; \ chown dansguardian:dansguardian /etc/dansguardian1; \ chown dansguardian:dansguardian /etc/dansguardian2; \ chown dansguardian:dansguardian /etc/dansguardian3; \ chown dansguardian:dansguardian /var/log/dansguardian1; \ chown dansguardian:dansguardian /var/log/dansguardian2; \ chown dansguardian:dansguardian /var/log/dansguardian3; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian1/; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian2/; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian3/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian1/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian2/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian3/; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian1/authplugins; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian2/authplugins; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian3/authplugins; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian1/contentscanners; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian2/contentscanners; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian3/contentscanners; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian1/downloadmanagers; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian2/downloadmanagers; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian3/downloadmanagers; \ ln -s /etc/dansguardian/languages /etc/dansguardian1/languages; \ ln -s /etc/dansguardian/languages /etc/dansguardian2/languages; \ ln -s /etc/dansguardian/languages /etc/dansguardian3/languages; \ ln -s /etc/dansguardian/lists /etc/dansguardian1/lists; \ ln -s /etc/dansguardian/lists /etc/dansguardian2/lists; \ ln -s /etc/dansguardian/lists /etc/dansguardian3/lists
- Now we’ll modify the common configuration files:
- Open
/etc/dansguardian/lists/bannedextensionlist
. Comment out any file extension that you want to allow through the filter. Since we are not locking things down tightly like a corporate environment might, you’ll probably want to comment out every line here. If you think you’ll never want to block specific file types, you could just select everything then delete the content of the file to save time.Here’s our working file if you want to copy and paste. /etc/dansguardian/lists/bannedmimetypelist
is similar, you’ll probably want to comment out, or delete, all the lines.Here’s our working file if you want to copy and paste.- Now open
/etc/dansguardian/lists/bannedregexpurllist
. For a library, the directives in this file have a tendency to over-block, so comment out or delete all lines.Here’s our working file if you want to copy and paste. /etc/dansguardian/lists/bannedsitelist
is one of the more important files. This is where you can force an entire web site to be blocked.You can also use this file to make your filter a whitelist. That is, all sites will be blocked that you don’t explicitly allow.Finally, you also have the option to use some built-in blacklists. You likely won’t need to edit this file now, but later you might. The comments in the file explain how to enable the various options.One thing you will want to do for a library environment is comment out the advertisement blocking about halfway down through the file.
/etc/dansguardian/lists/bannedurllist
works in a similar fashion, though only for individual pages within a larger web site, while leaving the rest of the web site alone. Like the last file, you probably don’t need to edit it now, except for commenting out the ad blocking.Here’s our working file if you want to copy and paste.- The files starting with exception—like
exceptionsitelist
—work similar to the banned* ones above, only they apply to things you don’t want blocked. Edit them as you see fit. At BDL we add all the major web mail providers to exceptionsitelist so that emails would never get blocked, for example. Also, add .edu, .gov, .mi.us, etc.Here’s our working file if you want to copy and paste. /etc/dansguardian/lists/weightedphraselist
contains pointers to the various categories of phraselists that DansGuardian uses in evaluating web pages. There’s a nice description at the top of the file that describes how the term weighting works. Edit the file as you see fit, commenting out lines for things you don’t want to be blocked. For our example we’ll leave the weighted phrase lists only for good phrases and pornography, and comment out the rest.Here’s our working file if you want to copy and paste.- Edit
/etc/dansguardian/lists/urlregexplist
to have a little expression to always force image searches on Google and Bing to be filtered. Add the following code to the end of the file:
# for Google #we add &safe=vss to the end of every search "(^http[s]?://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?.*)"->"\1&safe=vss" #for Bing #similar, but &adlt=strict is the keyword "(http[s]?://[0-9a-z]+.bing.com/images/search\?.*)"->"\1&adlt=strict"
- Edit
/etc/dansguardian/languages/ukenglish/template.html
as desired to change the page telling users they’ve been blocked. You can put images in this page, but they must be inserted inline in base64 encoding.Here’s our working file if you want to copy and paste. - Up to this point, even though we’re going to have 3 instances of DansGuardian running, we’ve been editing only one set of files since all 3 instances share the files. For the next steps, we’ll be editing the same files 3 times, one for each instance.
- Edit
/etc/dansguardian1/dansguardian.conf
,/etc/dansguardian2/dansguardian.conf
, and/etc/dansguardian3/dansguardian.conf
. The first thing to do is comment out the line near the top of the file that starts “UNCONFIGURED”.Next findloglevel = 2
and change the “2” to a “1”. Next, search and in every instance of/etc/dansguardian/
and/var/log/dansguardian/
replace “dansguardian” with “dansguardian1”, “dansguardian2”, or “dansguardian3”, as appropriate to the file you’re editing. There are many instances to change.Find the linefilterport = 8080
. Change “8080” to “8081”, “8082”, or “8083”, depending on which file you’re editing.Find the following lines:
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
pidfilename = '/var/run/dansguardian.pid'
and change them to:
ipcfilename = '/tmp/.dguardian1ipc'
urlipcfilename = '/tmp/.dguardian1urlipc'
ipipcfilename = '/tmp/.dguardian1ipipc'
pidfilename = '/var/run/dansguardian1.pid'
Change the “1” to a “2” or “3” depending on the file you’re editing.
Here are our working files if you want to copy and paste:
- Edit
/etc/dansguardian1/dansguardianf1.conf
,/etc/dansguardian2/dansguardianf1.conf
, and/etc/dansguardian3/dansguardianf1.conf
. Search and in every instance of/etc/dansguardian/
replace “dansguardian” with “dansguardian1”, “dansguardian2”, “dansguardian3”, as appropriate to the file you’re editing. There are many instances to change.Next change the value fornaughtynesslimit
to a number that works best for you. We use 100 for children, 200 for adults, and 250 for our public wireless network.Here are our working files if you want to copy and paste: - We will now remove the original DansGuardian startup script:
# cd /etc/init.d/; \ mv dansguardian dansguardian.orig; \ update-rc.d dansguardian remove
- Copy and past the contents of the following three files into 3 new files of the same path and name:
- Register the 3 new startup scripts:
# cd /etc/init.d/; \ chmod +x dansguardian*; \ update-rc.d dansguardian1 defaults 50 19; \ update-rc.d dansguardian2 defaults 50 19; \ update-rc.d dansguardian3 defaults 50 19
- Turn on all 3 instances of DansGuardian:
# /etc/init.d/dansguardian1 start; \ /etc/init.d/dansguardian2 start; \ /etc/init.d/dansguardian3 start
Public Computer Lab Session Timer
- Download and copy the session timer software to
/var/www
. Copy the appropriately-customizedindex.php
,backbone.php
, andstats.html
into the session timer folder. Set the permissions appropriately:
# chgrp -R www-data /var/www/signup; \ chmod 664 /var/www/signup/laptops_available; \ chmod 664 /var/www/signup/time_override
- Edit
/etc/mysql/my.cnf
to allow network connections (our custom firewall rules limit this to the appropriate machines). Find the linebind-address = 127.0.0.1
and comment it out. Findmax_connections
and change the number to something big, like1000000
. Restart MySQL:
# /etc/init.d/mysql restart
- Import the session timer database backup:
Statistics
- Install phpMyAdmin. We don’t actually need it to get the system running, but it’s nice to have if we ever need to look at the stats database directly. You can access it by going to http://YOUR-SERVER-IP-ADDRESS-OR-URL/phpmyadmin.
# apt-get install phpmyadmin
- Our stats setup will log hourly stats for any computer that doesn’t have a static definition in
/etc/dhcp/dhcpd.conf
. Create the MySQL database for tracking stats:
# mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
- Do ONLY ONE of the following:
- Import any stats you might have exported from an earlier installation (you can use phpMyAdmin to easily export stats from your server):
# mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
- -OR-
- Copy and paste the contents of
wifi_stats.sql
into a file of the same name in your current directory. This is the database schema which will create an empty database. Import your file into MySQL:
- Copy and paste the contents of
# mysql -u root -p wifi_stats < wifi_stats.sql
- Copy and paste the contents of
wifi_stats.php
into the file/var/www/wifi_stats.php
. Edit the top of the file to enter your own password. - Copy and paste the contents of
DHCPd-parse.php
into the file/var/www/DHCPd-parse.php
. Edit the top of the file to enter your own password. You can look at your collected stats athttp://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php
.Here’s a sample stats output page. - Copy and paste the contents of
reportdhcp.pl
into/usr/lib/cgi-bin/reportdhcp.pl
. This program isn’t actually used for any of the stats collection, but it can be useful for troubleshooting. Access it fromhttp://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl
. - Set a cron job to collect the stats every hour, and to preemptively restart the services hourly (for stability reasons):
1 * * * * wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1 1 * * * * /etc/init.d/dansguardian1 restart 1 * * * * /etc/init.d/dansguardian2 restart 1 * * * * /etc/init.d/dansguardian3 restart
Print Release Station
- If you share your printers over Samba, you can easily turn the server into a print release station to avoid unwanted prints. Ideally, this would be on a separate machine, but if you have to, it could be on the same system. You’ll need to install the KDE desktop, as it contains the print-manager program which provides a nice interface to release the print job to the printer.
- First, install the KDE desktop:
# apt-get install kubuntu-desktop
- This will take a while, and the scope of it is beyond this tutorial.
- Next, install samba:
# apt-get install samba
- Add the printer in the KDE System Settings application. Then, edit
/etc/samba/smb.conf
to share and hold the print jobs. Add the following lines to the end of the file, changing as necessary to fit your situation:
[Color_Printer] path = /var/spool/samba browseable = yes printable = yes printer name = CirculationPrinter cups options = job-hold-until=indefinite [Black_and_White_Printer] path = /var/spool/samba browseable = yes printable = yes printer name = CirculationPrinter cups options = job-hold-until=indefinite
- Then you can add a shortcut to your KDE desktop and startup that points to
kde-print-queue CirculationPrinter
. From here you can release the print jobs to the printer or delete them. - Add something like the following to your root crontab to clean out the queue at the end of each day:
4 21 * * * /usr/bin/lprm -P CirculationPrinter - 5 21 * * * /bin/rm /var/cache/cups/job.cache* 6 21 * * * /bin/rm /var/spool/cups/c* 7 21 * * * /bin/rm /var/spool/cups/d*
- Finally, add a user to your system for each computer you want to print, and make an accompanying Samba user with
smbpasswd -a <username>
- When you add the printers on Windows, you’ll need to set up network credentials first to the print server using the usernames and passwords you created above. Then add the printers with a custom new port, local port type,
\\192.168.1.XXX\Black_and_White_Printer
, etc. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.
Battery and File Backups
- If you have an APC battery backup, install apcupsd and save the original configuration file:
# apt-get install apcupsd; \ mv /etc/apcupsd/apcupsd.conf /etc/apcupsd/apcupsd.conf.bak
- Copy and paste the contents of
apcupsd.conf
into/etc/apcupsd/apcupsd.conf
, editing parameters as you see fit. - Edit
/etc/default/apcupsd
and changeISCONFIGURED=no
toISCONFIGURED=yes
. - Make a public key for automated backups of our stats files to a remote backups Unix file server, and copy it to the remote server:
# ssh-keygen -t rsa # ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
- Add another cron job to backup your stats database every night at 5 past midnight:
5 0 * * * mysqldump -u root --password=YOUR-PASSWORD wifi_stats > /home/username/wifi_stats_dump.sql; scp -i /home/username/.ssh/id_rsa /home/username/wifi_stats_dump.sql username@remote_host:/path/to/backup/directory/
- On the remote machine that’s your backup destination, make sure to add
from="YOUR-FILTER'S-IP-ADDRESS"
, followed by a space, before the “ssh-rsa […]” stuff in your/home/username/.ssh/authorized_keys
file. This will limit the key to being used only from your filter.
Conclusion
And that is all! Reboot and make sure everything comes back up the way it should.
Originally published on 2 November 2012. Last modified on 2 June 2015.
Copyright © John C. Rucker
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved.
Originally published on:
https://www.branchdistrictlibrary.org/professional/ubuntu_precise_dg.php