Skip to content

Ubuntu 8.04 (Hardy), Dan’s Guardian, Squid, Arno’s iptables Firewall How-To

Using only free and open source software, this how-to will help you accomplish the following:

  • Setup a transparent web proxy (no browser configuration required).
  • “Bad internet sites” will be filtered and unreachable.
  • Setup an iptables-based NAT.

1) All these commands need to be ran as root. If you prefer to use sudo then obviously you’ll need to prefix all the commands listed here with `sudo`. I choose to just become root until I’m done. I use the command `sudo su -` once. Proceed however you like.

2) Make sure you can reach all the Ubuntu packages. Uncomment all the optional repositories in your /etc/apt/sources.list so it looks like this:

> cat /etc/apt/sources.list | grep -v ^# | grep -v ^$
deb http://us.archive.ubuntu.com/ubuntu/ hardy main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy main restricted
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse
deb http://archive.canonical.com/ubuntu hardy partner
deb-src http://archive.canonical.com/ubuntu hardy partner
deb http://security.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
deb http://security.ubuntu.com/ubuntu hardy-security universe
deb-src http://security.ubuntu.com/ubuntu hardy-security universe
deb http://security.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse

Re-index your package repositories:

apt-get update

3) Install everything:

apt-get install dansguardian squid arno-iptables-firewall

4) Configure Arno’s iptables Firewall:

Edit /etc/arno-iptables-firewall/firewall.conf and uncomment this line:

CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules

Edit /etc/arno-iptables-firewall/custom-rules and place a custom NAT prerouting rule in for Dan’s Guardian:

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

This rule can likely be added in /etc/arno-iptables-firewall/firewall.conf by using the HTTP_PROXY_PORT variable. I have other custom iptables rules so I just put it in my custom rules file instead.

Restart the firewall:

/etc/init.d/arno-iptables-firewall restart

Arno’s script does lots of useful filtering, way more than I care to describe here. You need to configure it to your own setup obviously. You can reconfigure it using this command: `dpkg-reconfigure arno-iptables-firewall`

My setup looks like this for example:

> cat /etc/arno-iptables-firewall/debconf.cfg | grep -v ^#
DC_EXT_IF="eth0"
DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="22 113"
DC_OPEN_UDP=""
DC_INT_IF="eth1"
DC_NAT=1
DC_INTERNAL_NET="10.0.0.0/8"
DC_NAT_INTERNAL_NET="10.0.0.0/8"
DC_OPEN_ICMP=0

Have a look at /etc/arno-iptables-firewall/firewall.conf for lots of setup options. And don’t forget `man iptables`.

5) Configure squid:

Edit /etc/squid/squid.conf.

Find these lines, uncomment them and configure:

acl our_networks src 10.0.0.0/8
http_access allow our_networks

Be sure to modify the network to reflect your own setup. For example you might be using the 192.168.0.0/24 network for your NAT instead of 10.0.0.0/8.

In the same file, find and modify the http_port setting to look like this:

http_port 10.0.0.1:3128 transparent

Again, be sure to modify it so it reflects your own network.

3128 is the default squid port. There’s really no reason to change it, but you can if you like.

Restart squid:

/etc/init.d/squid restart

6) Configure Dan’s Guardian:

Edit /etc/dansguardian/dansguardian.conf. Find and comment this line at the top of the file:

#UNCONFIGURED - Please remove this line after configuration

Set the proxyip to your internal network interface’s ip address:

proxyip = 10.0.0.1

Set the filterport address, this port should match the iptables PREROUTING –to-port value from above:

filterport = 8080

Point Dan’s Guardian to squid’s default proxy port:

proxyport = 3128

You can modify /etc/dansguardian/languages/ukenglish/template.html to customize what is seen when attempting to visit a blocked site. I made mine a bit more generic for example. My kids don’t need to know why, they just need to see “NO!”.

Restart Dan’s Guardian:

/etc/init.d/dansguardian restart

7) Test everything by visiting Google.com and Porn.com. One of those addressed will be blocked.

Be Sociable, Share!

    Post a Comment

    Your email is never published nor shared. Required fields are marked *


    two × 3 =