Web content filtering made easy

This post is dedicated to the Children of Ubuntu

As a parent you might wish to restrict your children(s) access to certain web sites (pr0n). In this tutorial I will demonstrate how to do this as easily as possible, without the need to manually maintain white and black lists. The combined use of dansguardian + privoxy is easy to configure and a few “simple” iptables rules lock down the web access.

The key thing to understand is dansguardian needs another proxy server. Most tutorials use squid, which although full featured, IMO squid is complex and a bit of over kill.

Privoxy is easier than squid to configure and has additional features including privacy and ad blocking capabilities.

As an alternate to this tutorial you could consider or squid + dansguardian. This option does not offer either the ad blocking or privacy of Privoxy, although you may add SquidGuard. IMO, squid is both a bit of overkill and takes more time to configure.

If you are interested in SquidGuard see :

Ubuntu Wiki SquidGuard

Dansguardian = content filtering made easy.
Privoxy = adblock + additional privacy (compared to squid) + (IMO) easier to configure.

Step 1 : Install Dansguardian + privoxy

sudo apt-get -y install privoxy dansguardian

Step 2: Configure privoxy

Using any editor, open /etc/privoxy/config

sudo nano /etc/privoxy/config

Edit the following lines:


listen-address localhost:8118



I know, same thing, but privoxy as a parent proxy does not like localhost, it will refuse connections.

Restart privoxy

sudo service privoxy force-reload

Step 3: Configure dansguardian

Using any editor, open /etc/dansguardian/dansguardian.conf

Remove the line

UNCONFIGURED - Please remove this line after configuration

near the top of the file.

By default dansguardian uses squid, change the port to privoxy

proxyport = 8118

start dandguardian

service dansguardian start

Setp 5: Configure iptables

Now, for the icing on the cake, add a few rules to iptables

sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner bodhi -j ACCEPT
sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP

For those not familiar with iptables:

The first line allows root (needed for apt-get …)

The second line allows privoxy to connect to ports 80 and 443
The third line blocks everyone but privoxy

The forth line allows dansguardian to connect to privoxy.
The fifth line allows bodhi (parents) to connect to privoxy thus circumventing dansguardian.
Obviously change to “bodhi” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.

The last line blocks all other connections to privoxy.

Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118
Children can surf the web + adblock + dansguardian by pointing firefox to port 8080

Obviously parents and children should have unique login accounts.

Setp 6: Configure your iptables settings to be active at boot

Iptables – Use this section if you DO NOT use UFW

Save your settings:

sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”

Using any editor, open /etc/rc.local and add the following line (above exit 0)

iptables-restore /etc/dansguardian/iptables.save

exit 0

UFW – Use this section if you use UFW

Or if you use ufw …

Using any editor open /etc/ufw/before.rules

1. Comment out the line (near the top of the file):

#-A ufw-before-output -o lo -j ACCEPT

At the bottom of the file, above the “COMMIT” line, add:

# Rules for Dansguardian

-A ufw-before-output -m owner –uid-owner root -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
-A ufw-before-output -p tcp -m multiport –dports 80,443 -j DROP
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner dansguardian -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -m owner –uid-owner bodhi -j ACCEPT
-A ufw-before-output -o lo -p tcp -m tcp –dport 8118 -j DROP
-A ufw-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed

To configure Firefox to use a proxy :

Edit -> Preferences
Click on the “Advanced” tab at the top right
Click on the “Network” tab at the upper left (underneath “General” and “Tabs” )
Click the “Settings” tab on the Right …

Firefox Network Options

Select “Manual proxy configuration”
Under HTTP Proxy enter localhost
Under HTTP Port enter 8080 for dansguardian (Children) or 8118 for privoxy (Parents)
Check off the “Use this proxy server for all protocols”

Proxy options

If you wish to set a proxy for command line applications (wget, curl, etc), put this in ~/.bashrc (at the end of the file)

Children : export http_proxy=’localhost:8080′
Parents: export http_proxy=’localhost:8118′

This entry was posted in Linux and tagged , . Bookmark the permalink.

80 Responses to Web content filtering made easy

  1. bodhi.zazen says:

    @Bob – yes you can do that, you have to allow the owner/group access. If it is not working either you have the owner / group wrong or you need to add a rule earlier in iptables (order of your rules is important).

  2. Bob says:

    Thanks for the reply, I flushed the iptables rules to start again. Then did

    sudo iptables -A OUTPUT -m owner –uid-owner root -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner gpodder -j ACCEPT

    and got:

    iptables v1.4.12: owner: Bad value for “–uid-owner” option: “gpodder”
    Try `iptables -h’ or ‘iptables –help’ for more information.

    is it something other than “gpodder” I need to put here?

  3. Bob says:

    Seem to have got this working now. For anyone interested: I flushed the iptables, then created a new group “sudo addgroup gpodder” followed by “sudo usermod child_username -G gpodder” , then added the gpodder application to this new group: “sudo chgrp gpodder /usr/bin/gpodder”. Now after your second line of iptables commands I did ” sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –gid-owner gpodder -j ACCEPT” to allow access to this gpodder group and it seemed to work. I can’t see why setting the http_proxy variables for gpodder method didn’t work for gpodder, but there you go.

  4. bodhi.zazen says:

    @Bob – Congrats and thank you for taking the time to post your solution. Looks as if this has been a great learning opportunity for you.

  5. Bob says:

    @bodhi.zazen one thing I don’t understand is why that line works for privoxy out of the box? Why doesn’t one have to create a group for privoxy to employ that line? also why uid (user id) not gid (group id), I mean privoxy is not a user…so why does “uid-owner privoxy” work?

  6. Nathan says:

    I can’t get the IPtables working, I whenever I run the commands to config the tables dansguardian no longer works. I also posted about it here as well:


    This link also has a picture of the error I’m receiving

  7. Nathan says:

    I’m having a problem with the iptables,

    Without them I can access the web, dansguardian filters out ads/porn, but with them I get a privoxy error. Here is a link to the error:


  8. Pingback: Regarding Daniel: Ubuntu DansGuardian Rehabilitation Tutorial | | Sigh Hacker

  9. Pingback: Parental Controls In Ubuntu – Per User | Click & Find Answer !

  10. luke says:


    My kids are now old enough that I don’t need dansguardian and privoxy now.
    I used your settings including transparency and speding up privoxy.
    How do I completely uninstall dansguardian and privoxy please.


  11. bodhi.zazen says:

    @luke – Remove the packages, clear your settings in your borwser(s) to not use a proxy, and clear iptables.

  12. Ikem says:

    > The forth line allows dansguardian to connect to _privoyx_.

    > _Privoyx_ is easier than squid to configure

    > The forth line allows dansguardian to connect to _privoyx_.

    You misspelled “Privoxy” several times.

  13. Brandon Taylor says:

    sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner bodhi -j ACCEPT
    iptables v1.4.18: owner: Bad value for "--uid-owner" option: "bodhi"
    Try `iptables -h' or 'iptables --help' for more information.

    What’s wrong with this picture?

  14. Glenn says:

    I’m a newb to Linux, but I’m not afraid of a command-line. (Ah, the good old days of starting apps from DOS batch files…) Anyway, since resurrecting my old XP laptop with Kubuntu, I had been looking for a content filter so my kids would stay safe. These directions nailed it! I can still get to my regular geek and science sites and yet allow my kids free reign. Your directions worked like magic. And best of all, unlike that bloated OS from Redmond, I didn’t have to reboot to make it work! Thank you!

  15. bodhi.zazen says:

    You have to change the owner from “bodhi” to an actual user (owner) on your system, such as your log in name.

  16. The Greek says:

    The first iptables command:
    sudo iptables -A OUTPUT -m owner –uid-owner root -j ACCEPT
    gives me an ‘iptables v1.4.21: unknown option “owner”‘ ERROR

  17. bodhi.zazen says:

    @The Greek I assume you have a typo, -m owner and then two – – before uid-owner. If that is not the case, are you using a VPS ?

  18. The Greek says:

    Yes bodhi you were right; while copying – pasting in my console, the two dashes (–) somehow turned into one long dash and this caused the problem.
    Please allow me a couple of questions on your setup.
    1. You are mentioning at the beginning of your tutorial that: “dansguardian needs another proxy server”. Nonetheless, when parents are using the computer, they must “connect to privoxy in order to circumvent dansguardian”??? (according the fifth line iptables rule). So privoxy allows circumventing dg and does not just simply support dg usage? (given that the later needs a proxy). And when children (the corresponding user) connect, shouldn’t they go on the web THROUGH privoxy?
    2. The second iptables rule (sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT) what exactly does it do? It allows privoxy to connect to REMOTE (?) ports 80, 443? (I am saying REMOTE – other hosts) given that I see it is in the OUTPUT chain. If it had to do with the local ports 80 and 443, shouldn’t we have specified the lo interface?

    Many thanks for yout time

  19. bodhi.zazen says:

    @The Greek – Yes , dansguardian does not directly access the internet, so you need a second proxy to access web pages, privoxy in this example.

    Everyone but root uses a proxy. Priviliged users use privoxy only and the content is unfiltered. Unpriviliged users use dans which then in turn uses privoxy. dans then filters the content and delivers the filtered result to firefox (or other web browser).

    Root -> http directly,no proxy
    Parents -> privoxy, no filter
    Children -> dans -> privoxy

    The iptables rules prevent children from either -> direct or -> privoxy without using dans

    The second iptables rule allows privoxy to connect to ports 80 (http) and 443 (https).

    I assume you do not have a local web server running, but bu default all connections to local host are allowed.

  20. Rico says:

    Is it also possible to let specified users (me and my wife) not make use of a proxyserver but enter the web without?
    For some sites I need a IP-adress in my country.

  21. bodhi.zazen says:

    @Rico Just add additional rules to iptables between the root and privoxy users:

    sudo iptables -A OUTPUT -m owner –uid-owner root -j ACCEPT
    sudo iptables -A OUTPUT -m owner –uid-owner you -j ACCEPT
    sudo iptables -A OUTPUT -m owner –uid-owner your_wife -j ACCEPT

    sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT

  22. SamDuBlake says:

    Does Privoxy + Dansguardian need to be configured with individual web browsers? (Has IKG’s issue been adressed?) I ask because I’m looking for parental controls that cannot be modified/removed without a password. “reset firefox” does not need a password and renders all addons useless for advanced users.

  23. BobN says:

    at the end of step three, I had to add sudo to start dansguardian service

  24. Pingback: iptables rule to force all browsers to use proxy | XL-UAT

  25. priv8man says:

    Thanks for the tutorial. I’m having troubles with the IPtables. I’ve flushed and re-entered several times. However, afterwords there seems to be no changes in web filtering by any user. When I check the IPtables, this line seems to be gone: sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -j DROP. The other lines are all present. Please help!

  26. J says:

    When configuring iptables, do I have to assign a port for my childs user account also? For example:

    sudo iptables -A OUTPUT -o lo -p tcp –dport 8080 -m owner –uid-owner child -j ACCEPT

    Or is this unnecassary? For some reason I can’t get any https-pages to load. Any hints?

  27. J says:

    And for some reason I cannot load Firefox addons after configuring dansguardian and privoxy. Same https-reason?

  28. J says:

    Also: is there a easy way to disable the use of privoxy and dansguardian temporarily? Stopping the services and resetting the proxy-settings in Firefox does not allow internet access.

  29. Gene Byron says:

    Thanks for sharing the know how of Ubuntu. I am a newbie who just try to follow the guide posted above, but
    I am stuck at step 3: Configure Dansguardian
    * Starting DansGuardian
    Error creating cache file. Do you have write access to this area: “/etc/dansguardian/lists/blacklists/ads/domains.processed”?
    Unable to setgid()
    Would you guy help me what went wrong with this?
    After I delete the line: “Unconfigure . . . ”
    I change the line:
    proxyport = 3128 into proxyport =8118
    Save the modification and exit, then start dansguardian which then that error code appear.
    Sorry to bothering you, but thanks for the help!

  30. Alex Johnson says:

    Gene Byron. I know you probably have it worked out, but sudo that command. sudo service dansguardian start should start the service for you. I ran into the same error and it started when ran as the superuser.
    Currently I’ve followed this guide to pretty much to the T though in firefoxes settings I put instead of localhost. I’m going to change that to see if it helps, but every site I attempt to get on my childs account is showing Proxy is rejecting connections in firefox. While I would expect that if they were trying to access a black listed site, this is happening on google.com and mozilla’s default homepage. My user’s web is working on 8118, but I think 8080 is rejecting everything for some reason.

Leave a Reply

Your email address will not be published. Required fields are marked *