How to Setup Transparent Proxy and Content Filtering using Squid and Dansguardian in Debian Etch

This guide will walk through the setup and installation of Debian GNU/Linux and Squid proxy. Optionally, DansGuardian may be used in addition to provide URL blacklisting and content filtering. This guide will also work in CentOS, Ubuntu Dapper and later versions of Ubuntu.

The setup process contains the following steps:

  • Install Debian GNU/Linux
  • Install our proxy and content filtering software
  • Configure the Squid Proxy
  • Configure the DansGuardian content filter
  • Install and configure some sort of logging/monitoring solution

Install and configure your Debian server, configure the networking and ip masquerading. You can checkout this tutorial about ip masquerading here.

Add this line in your /etc/apt/source.list file

deb http://http.us.debian.org/debian etch main contrib non-free
deb http://volatile.debian.net/debian-volatile etch/volatile main contrib non-free

and run this command:

apt-get update

Install Squid proxy server

apt-get install squid

Configure squid
For earlier version of squid up to version 2.5, edit /etc/squid/squid.conf and add the following to the HTTPD_ACCELERATOR OPTIONS section:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Checkout the sample squid.conf
Changes are highlighted in bold.

# HTTPD-ACCELERATOR OPTIONS
# -----------------------------------------------------------------------------

#  TAG: httpd_accel_host
#  TAG: httpd_accel_port
#       If you want to run Squid as an httpd accelerator, define the
#       host name and port number where the real HTTP server is.
#
#       If you want IP based virtual host support specify the
#       hostname as "virtual". This will make Squid use the IP address
#       where it accepted the request as hostname in the URL.
#
#       If you want virtual port support specify the port as "0".
#
#       NOTE: enabling httpd_accel_host disables proxy-caching and
#       ICP.  If you want these features enabled also, set
#       the 'httpd_accel_with_proxy' option.
#
#Default:
httpd_accel_host virtual
httpd_accel_port 80
#  TAG: httpd_accel_with_proxy  on|off
#       If you want to use Squid as both a local httpd accelerator
#       and as a proxy, change this to 'on'. Note however your
#       proxy users may have trouble to reach the accelerated domains
#       unless their browsers are configured not to use this proxy for
#       those domains (for example via the no_proxy browser configuration
#       setting)
#
#Default:
httpd_accel_with_proxy on

#  TAG: httpd_accel_uses_host_header    on|off
#       HTTP/1.1 requests include a Host: header which is basically the
#       hostname from the URL.  The Host: header is used for domain based
#       virtual hosts. If your accelerator needs to provide domain based
#       virtual hosts on the same IP address you will need to turn this
#       on.
#
#       Note Squid does NOT check the value of the Host header matches
#       any of your accelerated server, so it may open a big security hole
#       unless you take care to set up access controls proper.  We recommend
#       this option remain disabled unless you are sure of what you
#       are doing.
#
#       However, you will need to enable this option if you run Squid
#       as a transparent proxy.  Otherwise, virtual servers which
#       require the Host: header will not be properly cached.
#
#Default:
httpd_accel_uses_host_header on

Using Squid 2.6 and later version, find the line NETWORK OPTIONS and add the line http_port 3128 transparent.

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

#  TAG: http_port
#	Usage:	port [options]
#		hostname:port [options]

#		1.2.3.4:port [options]
#
#	The socket addresses where Squid will listen for HTTP client
#	requests.  You may specify multiple socket addresses.
#	There are three forms: port alone, hostname with port, and
#	IP address with port.  If you specify a hostname or IP
#	address, Squid binds the socket to that specific

#	address.  This replaces the old 'tcp_incoming_address'
#	option.  Most likely, you do not need to bind to a specific
#	address, so you can use the port number alone.
#
#	The default port number is 3128.
#
#	If you are running Squid in accelerator mode, you
#	probably want to listen on port 80 also, or instead.
#
#	The -a command line option will override the *first* port
#	number listed here.   That option will NOT override an IP
#	address, however.
#
#	You may specify multiple socket addresses on multiple lines.
#
#	options are:
#		transparent	Support for transparent proxies
#		vhost		Accelerator using Host directive
#		vport		Accelerator with IP virtual host support
#		vport=		As above, but uses specified port number
#				rather than the http_port number.
#		defaultsite=	Main web site name for accelerators.
#		urlgroup=	Default urlgroup to mark requests
#				with (see also acl urlgroup and
#				url_rewrite_program)
#		protocol=	Protocol to reconstruct accelerated
#				requests with. Defaults to http.
#		no-connection-auth
#				Prevent forwarding of Microsoft
#				connection oriented authentication
#				(NTLM, Negotiate and Kerberos)
#		tproxy		Support Linux TPROXY for spoofing
#				outgoing connections using the client
#				IP address.
#
#	If you run Squid on a dual-homed machine with an internal
#	and an external interface we recommend you to specify the
#	internal address:port in http_port. This way Squid will only be
#	visible on the internal address.
#
# Squid normally listens to port 3128
http_port 3128 transparent

Then configure squid ACL (Access Control List) to allow computers in your network to use squid. Find the line INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

Add your network IP address, example:

acl lan src 192.168.0.0/24
http_access allow lan

Add your network ip address below the line #http_access allow our_networks.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl lan src 192.168.0.0/24
http_access allow lan

Restart the squid proxy server to reload the changes that you have been made to the file.

/etc/init.d/squid restart

Check your squid config using this command:

grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

Install and configure Dansguardian content filtering.

apt-get install dansguardian

Open /etc/dansguardian/dansguardian.conf and comment out ‘UNCONFIGURED’ by placing a # sign before it.
Start dansguardian

/etc/init.d/dansguardian start

Next we configure IP tables to handle the forwarding:
Enable content filtering.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

If you just want to proxy without content filtering, use:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Logging and Reporting
Install LAMP server and web-based Dansguardian log analyzer

apt-get install apache2 libapache2-mod-perl2 dglog

You can view your dansguardian logs through http://hostname/cgi-bin/dglog.pl