So you have a nice shiny Edubuntu server install and everything is well. You have an internet connection, but your want to restrict your users access to certain content on the internet, and you want to be able to do it without installing a second machine as a proxy/filtering server.
Well here is how I did it.
These instructions are based on gutsy and have limited testing, in my case they have worked. If you find a better way of implementing this please feel free to expand/change it.
- Firstly install squid and dansguardian:
sudo aptitude install squid dansguardian
- Here I have use aptitude to install the packages, but you can use synaptic, apt-get or whatever method you like. There must be a better way of wording this?
Here we are going to configure and start all the services one by one. I will start off by configuring squid, this will get us a fully functional proxy server. Next, dansguardian this will sit on top of squid and allow for content filtering. Then we will configure iptables to redirect all requests by the users to dansguardian.
This has the plus point that, for instance, if you have a staff group and a pupils group that all staff can be redirected to the proxy and all pupils can be redirected to dansguardian.
- To configure squid fireup you favorite editor:
sudo gedit /etc/squid/squid.conf
- Here I've used gedit but you can substitute this for whatever editor you prefer. 1) Find the line beginning "http_port" and change it to read "http_port XXXX transparent" where XXXX is the port number you would like squid to listen on.
This is needed as later on we will be playing around with iptables so the users will automagically use filtering. Without it squid will display any request as text rather than actually fetching it.
- 2) Next find the section "visible_hostname" and add "visible_hostname edubuntu" to the bottom of that section on a line of its own. (substitute edubuntu for the hostname of the server you are configuring). 3) Save the file and close.
- Now start squid:
sudo /etc/init.d/squid start
- Check squid is running:
ps aux | grep squid
- Your looking for two entries like this:
root 5469 0.0 0.0 4780 652 ? Ss Oct10 0:00 /usr/sbin/squid -D -sYC proxy 5471 0.0 0.2 7644 5348 ? S Oct10 0:00 (squid) -D -sYC
- Now lets configure and start dansguardian
sudo gedit /etc/dansguardian/dansguardian.conf
- Near the top of the file remove the line beginning with "UNCONFIGURED ". Save and exit the file.
- Now start Dansguardian:
sudo /etc/init.d/dansguardian start
- Again check its running correctly:
ps aux | grep dansguardian
- You should see lots of /usr/sbin/dansguardian entries.
- Here is the fun part. This is the clever bit of behind the scenes trickery that makes the users go through dansguardian no matter what they are using to access the internet. Adapt this to suit. Here I have set iptables to accept packets destined for localhost and local network, then redirect any tcp packet not destined for the local network and created by members of the users group to dansguardian. The first rule is needed to allow users to login from a thin client, without it the user will be able to authenticate but the desktop session will stop loading for some reason.
sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --match owner --gid-owner users -j ACCEPT sudo iptables -t nat -A OUTPUT -p tcp -d ! 192.168.0.0/255.255.255.0 --match owner --gid-owner users -j REDIRECT --to-ports 8080
*Note: this will redirect ALL port to dansguardian, you may want to DENY all ports (except 80 and 443) instead.
- If I logon as an administrative user I have unfiltered, unproxied access. But anyone in the users group is automagically sent through the filter/proxy combination whether they like it or not. You could also adapt the above to redirect members of the staff group through to the proxy directly skipping out the filtering if you so wish.