Web Filtering for Kids

I have been encouraging many friends with kids to try the Linux Operating System mainly because of one major advantage over the other Operating Systems – free software for kids.

Take the Debian distribution with over 25,000 applications for example. There are all kinds of games and educational software that comes bundled with these distributions that it adds up in terms of savings when you consider that a computer game for a Windows Operating Sytem averages about $20.

But the challenge we had was how to protect the children from the dangers of the internet now that everyone pretty much has broadband connection. That is when we ran into some problems. There were not a whole lot of click and install web filters as is available in the Windows market.

So I started searching and spent the most of two days poring through very tedious instructions for what I thought should be a simple solution. I am not a code writer, but I am very comfortable with the Linux command line interface so editing some scripts was not the problem.

I kept thinking, this should not be this difficult. I especially did not want to go through the whole process of installing a full blown filtering application like ClarkConnect, Untangle or Astaro. So I kept searching and I am glad I did.

I finally found a solution so simple it was exhausting just thinking about it. Unfortunately, in my excitement, I failed to note the web site of the author but I will try to locate that document again and give the author full credit.

First off, this is entirely aimed at people who want to protect a single computer with a Linux Operating System.

The main components of this solution are:

  •  Dansguardian, an open-source enterprise-class content filtering application which is provided free for personal or non-profit use. In addition to filtering web content, Dansguardian scans downloaded content with Clamav (antivirus software) and logs all http requests, making it a valuable security tool;
  • TinyProxy, a very small, lightweight proxy service ideal for handling the traffic of a single workstation. The proxy service transports internet traffic to the DansGuardian filter;
  • Firehol, a packet filtering firewall which will make sure web traffic goes to the proxy in a transparent manner and is almost impossible to get around without root access.


The installation of these three components can be done in a variety of ways. Most modern Linux distributions will have these in their repositories and can be installed using their package managers. For example, in Debian-based systems, synaptic (GUI) or apt (CLI) can be used for the installation. After the installation, use the following steps to set up the system.

To configure Dansguardian:
As root, open /etc/dansguardian/dansguardian.conf (e.g. sudo gedit /etc/dansguardian.dansguardian.conf  in Gnome)
Locate the line that says “UNCONFIGURED”
Comment it out by appending a “#” to the beginning of the line.
Save the file and exit.

To Configure tinyproxy
As root, open /etc/tinyproxy/tinyproxy.conf
Edit the line that reads “Port 8888”. Change it to read:
Port 3128
Save the file and exit.

To configure firehol
As root, open /etc/firehol/firehol.conf
Edit the file so that it reads as follows after the initial comment block (just copy and paste this bit, if you want):
version 5
iptables -t filter -I OUTPUT -d -p tcp –dport 3128 -m owner ! –uid-owner dansguardian -j DROP
transparent_squid 8080 “nobody root”
interface any world
policy drop
protection strong
client all accept
Save and exit the file
To make sure the firewall starts when the computer reboots:
Open (as root), /etc/default/firehol.
Change the first line to read:
Save and exit the file.

To make sure all services are set to start on boot
As root, browse to /etc/rc5.d
Make sure dansguardian is set to start on boot. In the unlikely event that it is not, you should have a file that says k50dansguardian. Open a terminal and type:
mv K50dansguardian S50dansguardian
restart all three services, as root  or sudo if you are using Ubuntu and it variants (order is important):
/etc/init.d/firehol restart
/etc/init.d/tinyproxy restart
/etc/init.d/dansguardian restart

You should now have basic filtered internet. To test this, browse a few webpages, then check the log by typing as regular user:

cat /var/log/dansguardian/access.log
You should see entries similar to this:
2007.9.2 21:04:46 – http://dansguardian.org/ *EXCEPTION* Exception site match. GET 2683
2007.9.2 21:04:48 – http://www.mepis.org/ *SCANNED*  GET 0
This indicates that dansguardian is indeed checking your pages.

Notes and Caveats (as stated by the original author of this howto)
The default configuration for Dansguardian is quite restrictive, as it is designed for young children. It can be tweaked very extensively, however. The /etc/dansguardian/dansguardian.conf file is fairly self-explanatory, and you should be able to make most of the adjustments you need by looking through it and changing the values it suggests.
firehol is a firewall.

It may cause problems with guarddog or other firewall programs (conflicting settings, etc). The configuration posted above will block anything coming in, so if you need services like samba or ssh open, consult the man page for the firehol.conf file (man firehol.conf). There is no GUI for firehol, but it has a very simple syntax.

To temporarily disable content filtering, shutdown the firehol service (as root):
/etc/init.d/firehol stop

If you shutdown tinyproxy or dansguardian without shutting down firehol, you will likely lose your internet connection.