Difference between revisions of "Installing Dansguardian on LinuxMCE"

From LinuxMCE
Jump to: navigation, search
(Shorewall)
(Shorewall)
Line 65: Line 65:
 
   vi /etc/default/shorewall
 
   vi /etc/default/shorewall
 
# startup = 1
 
# startup = 1
 +
  
  
Line 75: Line 76:
 
# loc ipv4
 
# loc ipv4
 
# #Last Line - ADD ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
# #Last Line - ADD ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 +
  
  
Line 84: Line 86:
 
# loc eth1 detect dhcp
 
# loc eth1 detect dhcp
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 +
  
  
Line 91: Line 94:
 
# eth0 eth1
 
# eth0 eth1
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 +
  
  
Line 99: Line 103:
 
# fw  all ACCEPT
 
# fw  all ACCEPT
 
# all all REJECT
 
# all all REJECT
 +
  
  
Line 104: Line 109:
 
   vi /etc/shorewall/shorewall.conf
 
   vi /etc/shorewall/shorewall.conf
 
# IP_FORWARDING=On
 
# IP_FORWARDING=On
 +
  
  
Line 115: Line 121:
 
# ACCEPT loc loc icmp
 
# ACCEPT loc loc icmp
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 +
 +
  
 
'''  # check shorewall working or not properly'''
 
'''  # check shorewall working or not properly'''

Revision as of 01:57, 1 September 2009

Draft page

Still under draft and yet to finalize... Thanks

Basics

DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.

DansGuardian is a true web content filter. We will see how to configure DansGuardian on Ubuntu Linux along with LinuxMCE.


Installing packages

tinyproxy

   apt-get install tinyproxy


shorewall

   apt-get install shorewall


dansguardian

   apt-get install dansguardian


dhcp

   apt-get install dhcp3-server


dns server

   apt-get install dnsmasq 

Optional:

Dansguardian Web Log Viewer

   apt-get install dglog


Configure Packages

Tinyproxy

   vi /etc/tinyproxy/tinyproxy.conf  

Make the following changes

  1. User root
  2. Group root
  3. Allow 192.168.80.0/25


Dansguardian

  vi  /etc/dansguardian/dansguardian.conf

Make the following changes:

  1. Delete UNCONFIGURED line
  2. filterport = 8081
  3. proxyip = 192.168.80.1
  4. proxyport = 8888
  5. usernameidmethodproxyauth = off


Shorewall

Make the following changes:

set "shorewall" auto start at boot time:

  vi /etc/default/shorewall
  1. startup = 1


"zones" tells the firewall to zone each name for the rest configuration file e.g. loc, net:

  vi /etc/shorewall/zones
  1. #ZONES TYPE OPTION IN OUT
  2. #OPTIONS OPTIONS
  3. fw firewall
  4. net ipv4
  5. loc ipv4
  6. #Last Line - ADD ENTRIES ABOVE THIS ONE - DO NOT REMOVE


"interfaces" tells the firewall which is internal and external interfaces:

  vi /etc/shorewall/interfaces
  1. #ZONE INTERFACE BROADCAST OPTIONS
  2. #Note assuming "eth1"- is internal ip & "eth0"- is external ip
  3. net eth0 detect dhcp,tcpflags
  4. loc eth1 detect dhcp
  5. #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


"masq" tells the firewall that internal network(eth1)is connected through external network(eth0):

  vi /etc/shorewall/masq
  1. #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
  2. eth0 eth1
  3. #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


'"policy" tells the firewall that how should handle the requests:'Bold text

  vi /etc/shorewall/policy
  1. loc all ACCEPT
  2. net all DROP
  3. fw all ACCEPT
  4. all all REJECT


"shorewall.conf" we will configure ip_forwarding:

  vi /etc/shorewall/shorewall.conf
  1. IP_FORWARDING=On


"rules" allows to set firewall rules:

  vi /etc/shorewall/rules
  1. SECTION NEW
  2. ACCEPT net fw tcp 80
  3. REDIRECT loc 8081 tcp www
  4. ACCEPT loc fw tcp 22
  5. ACCEPT net fw icmp
  6. ACCEPT loc loc icmp
  7. #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


# check shorewall working or not properly

  shorewall check

Restart Applications

   /etc/init.d/dnsmasq restart 
   /etc/init.d/tinyproxy restart
   /etc/init.d/shorewall restart
   /etc/init.d/dansguardian restart

DHCP Server

Note: you need not to make any changes if you are working on single system or dhcp is already running on your local network interface(any changes dhcpd.conf or interfaces respective files)

 vi /etc/default/dhcp3-server
  1. INTERFACE="eth1"
 vi /etc/dhcp3/dhcpd.conf
  1. #change the subnet, netmask, range, dns, router as per your settings
  2. default-leasetime=86400
  3. max-leasetime=60480
  4. subnet 192.168.0.0 netmask 255.255.255.0{
  5. range 192.168.0.2 192.168.1.99;
  6. option domain-name-server 192.168.80.1;
  7. option routers 192.168.80.2;
  8. }

set static ip address:

 vi /etc/network/interfaces
  1. auto lo
  2. iface lo inet loopback
  3. auto eth1
  4. iface eth0 inet static
  5. address 192.168.80.1
  6. netmask 255.255.255.0
 #restart dhcp
  1. /etc/init.d/dhcpd restart

Troubleshooting

  1. Still not working restart the system once
  2. Check all service started are not "ps -ef | grep <service>" service - apache2, dnsmasq, tinyproxy, shorewall, dansguardian, and dhcpd. If any of the service is not starting, start the service sh /etc/init.d.<service> start. Check especially dnsmasq and shorewall services.

Adding BlackList

A BlackList is a precompiled list of sites that are deemed potentially worrisome.

    cd /etc/dansguardian    
    wget http://urlblacklist.com/downloads/OriginalUpdateBL
    vi OriginalUpdateBL
  1. modify line 68 by switching the listed URL with the following:
  2. http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist
   chmod 777 /etc/dansguardian/OriginalUpdateBL
   /etc/dansguardian/OriginalUpdateBL

when script is finished if you see any errors.

   /etc/init.d/dansguardian restart

if the above script is not creating blacklists directory and creating blacklists file then follow the following:

   cd /etc/dansguardian  
   wget http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist
   tar -xvf bigblacklist.tar.gz
   chown -R root:root blacklists
   chmod -R 755 blacklists