Tidbits on software development, technology, and other geeky stuff.

How To Setup A Transparent Content Filtering Proxy

To speed up web access and block obscene content on my home network, I setup a transparent content filtering proxy on my Arch Linux server with the help of Squid and DansGuardian. Below are the steps I took to get it all working.

Install and configure Squid (web proxy)

Squid will act as our proxy server which should speed up our web browsing and allow the content filter (DansGuardian, explained below) to function as it requires one.

acl localhost src 127.0.0.1/32​
http_access allow localhost​
http_access deny all​
http_port 3128 transparent​
dns_nameservers 208.67.222.123, 208.67.220.123 #OpenDNS FamilyShield DNS

Note: The IP addresses specified for dns_nameservers are the OpenDNS FamilyShield DNS servers. This speeds up DNS lookups and provides a simple way to have an up-to-date blacklist for pornographic sites. This will work in tandem with DansGuardian to filter web content.

Install and configure DansGuardian (content filter)

DansGuardian is the powerful, fast, open-source content filtering engine we will use. It is very configurable but I will keep it simple for demonstration purposes.

filterport = 8888​
proxyport = 3128

Configure Your Router

To make our solution truly transparent and avoid the need to configure each computer in our network individually, we need to make our router redirect outgoing web traffic to our proxy server that is running DansGuardian and Squid. To do this, you’ll need a router running Linux (most do) and one that allows telnet or SSH access. I have a Netgear router and after searching on the web found that if you navigate to the address: http://192.168.1.1/setup.cgi?todo=debug** (192.168.1.1 being your router IP, of course), the router will allow telnet access on port 23, with the same credentials you use to login to the web interface. Once you have connected, run the following command to redirect outgoing port 80 request:

iptables -t nat -A PREROUTING -i br0 -s ! 192.168.1.2 -d ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8888

Notes

That’s It!

Now, if you browse to a website on a client machine in your local network, it should send all the data through your proxy server and provide content filtering. There is no client configuration (i.e. proxy settings) needed as we have set things up in a transparent manner.

A good next step would be to read up on configuring DansGuardian and make it work to suite your needs.

Discuss on Twitter