How to setup a home router/gateway with tinyproxy and dansguardian on CentOS or RedHat Enterprise Linux.
This howto goes over how to setup a router/gateway on a home or small business network that will filter content through tinyproxy and Dan’s Guardian. The awesome thing about this setup is that you can run this on any old piece of crap pc in your garage or house. A 486 will effectively run this for a household, and a older pentium class machine for a small business network. This howto was written specifically for CentOS 4.x however you can use the same instructions to do this on a RedHat ES 4.x server or any CentOS 5.x or RedHat ES 5.x server. The only changes that would need to be made in regards to a new version is getting the updated rpms for the distro from a repository such as http://dag.wieers.com/rpm
About my system:
MotherBoard: Asrock K7S41GX
Processor: Socket A (Socket 462) AMD Sempron(tm) 2800+
Ram: 2x 333 ddr1 512 MB for a total of 1gb
Drives: 2x 250.0 GB drives 1x 500GB drive 1x dvdrw drive
Network: 2x 100mbps network adapters
Getting the router/gateway up and running
Step1. Setting up an extra network interface ( if you have already done this move to step 2)
If you have just installed a new network interface you will need to get the system to properly see the device. Use lspci or cat /etc/sysconfig/hwconf and look for the new device and if it is not listed do a service kudzu restart and follow the prompts if necessary. Once you have positively identified that it is detecting in the system, you can add the device by creating this file
/etc/sysconfig/network-scripts/ifcfg-eth1
This file can then be formatted as shown below:
# cat /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=STATIC ONBOOT=yes TYPE=Ethernet IPADDR=10.0.0.1 NETMASK=255.255.255.0
The network information is what I am going to use for this setup. You can adjust this to be any subnet value you wish – to get this up and running restart networking with
# service network restart
Step2. Installing and configuring the dhcp server
We first need to get the dhcp servcer package installed. We can do this by issuing the following command:
# yum -y install dhcp
This will install the server we need to run the dhcp server. This will not start without modication of a few files. We will go over these files below:
The main configuration file for the dhcp server /etc/dhcpd.conf – I have posted and example of mine below that can easily be adapted for your network:
# cat /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 10.0.0.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option nis-domain "larmeir.com";
option domain-name "larmeir.com";
option domain-name-servers 10.0.0.1;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 10.0.0.1;
# option netbios-name-servers 10.0.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp 10.0.0.100 10.0.0.254;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns {
next-server home.larmeir.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 10.0.0.1;
}
}Once we have this file configured we will need to set the device that will host the dhcp service. The file that controls this is /etc/sysconfig/dhcpd
Below is an example of mine:
# cat /etc/sysconfig/dhcpd # Command line options here DHCPDARGS=eth1
Step 3. Modifying sysctl and iptables
In order to get the dhcp requests forwarded through the correct adapter sysctl and iptables has to be configured to do this. To enable ipv4 forwarding issue the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward
Then to get iptables routing the requets properly issue the following commands:
# /sbin/iptables -P FORWARD ACCEPT # /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save
If everything went right you should now have a functioning dhcp server. To get everything running we need to do the following commands:
# chkconfig dhcpd on # service network restart # service dhcpd restart
In my above example dhcpd.conf I specified an internal DNS server, but if you dont want to run one you can easily point this to your isp’s dns resolvers. If you do wish to host your dns, lets move on to the next step.
Step 4. Setting up a basic DNS server.
This part is easy, just do the following commands:
# yum -y install bind # chkconfig named on # service named start
No configuration is needed here unless you have specific requirements.
Step 5. Installing TinyProxy
This part is very easy as well. For larger networks squid is more appropriate but for a small office or home network tinyproxy is highly effective. To get TinyProxy installed you will need to get it form a 3rd party repo. I am hosting the rpm on this site for CentOS 4.x for convenience. To get this rolling perform the commands below:
# wget http://larmeir.com/downloads/centos4/tinyproxy-1.6.4-1.of.el4.i386.rpm # rpm -ivh tinyproxy-1.6.4-1.of.el4.i386.rpm #chkconfig tinyproxy on
Now we need to configure the configuration file for tiny proxy in /etc/tinyproxy/tinyproxy.conf with the following directives:
User root Group root Port 3128 ViaProxyName "tinyproxy"
Once this has been set you can start up tiny proxy with the command below:
# service tinyproxy start
Step 6. Setting up Dan’s Guardian.
To get dansguardian we need to obtain this from the Dag repositories. To do this follow the commands below:
# rpm -Uhv http://apt.sw.be/redhat/el4/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el4.rf.i386.rpm # yum update # yum install dansguardian # chkconfig dansguardian on
Then we need to modify the /etc/dansguardian/dansguardian.conf file and make sure the following directives are set:
# the port that DansGuardian listens to. filterport = 8080 # the ip of the proxy (default is the loopback - i.e. this server) proxyip = 127.0.0.1 # the port DansGuardian connects to proxy on proxyport = 3128
Finally we need to start dansguardian with the following command:
# service dansguardian start
And setup iptables to route all requests through the Dan’s guardian filter:
# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # service iptables save
This will now force all connection on the dhcp network through the Dan’s Guardian filter. Now, just to make sure everything is working let’s restart everything:
service network restart service dhcpd restart service tinyproxy restart service dansguardian restart
If you receive no errors you now have a gateway with dhcp, dns, a transparent proxy and content filtering. Give yourself a pat on the back. You can easily test the filer by going google and type in a banned keyword such as sex. For more information on everything used in this article check out these links:
TinyProxy https://www.banu.com/tinyproxy/
Dans Guardian: http://dansguardian.org/
dhcpd http://en.wikipedia.org/wiki/Dhcpd
CentOS http://www.centos.org/
This is very clearly written and documented, and very promising. I hope to try it out over the next few days, hopefully you will find my follow-up. The differences I’ll be working out should be manageable: I run Ubuntu, and I’m using my own PC as the home router (for lack of a #2 machine; perhaps I can bring that in after everyone else has splurged for Christmas).
I already run DG with tinyproxy on my computer. But I am pretty sober about this project because my ignorant attempts have already forced two system reinstalls. (“It’s good for practice, and it sure builds character.” Uh-huh.)
In general, it’s terribly important that societies recognize the need for Internet safety for the household. I’m very glad to hear less these days of the “no safeties anywhere” polemic (with its spurious reference to the First Amendment). I think DG is a terrific application and I want to see it promoted. Thank you for your post.
No success. My Karmic has no /etc/sysconfig/. There is no file that much resembles ifcfg-eth1 (the closest might be /etc/NetworkManager/system-connections/Auto eth0).
I need more general knowledge and I’d need insight on diagnostic confirmations along the way to do any tinkering. My local library coughed up “Broadband Internet Connections” (Addison-Wesley, 2002), which turns out to be maybe the poorest technical text I’ve ever seen.
Note: someone has provided a handy DansGuardian test page at http://sites.google.com/site/stupidicus/test (and I have tested its validity by visiting with DG stopped).