I did this successfully, with some digging around on Google.

I use Mandriva 2007 for both home

PCs, one is for the kids, and I use transparent redirection in iptables so there is no browser
preference modification needed (and it works on all browsers, including text-only). I installed
everything from source tarballs – it was simpler to tie it all together this way. The end result – per-
user proxy restrictions, so I am exempt but the kids are not, and they are time-limited to between
7am and 9pm for web access. I also get emails of blocked attempts. They do not use IM, so this
only applies to web access. Several false-positives, so a little tweaking of the blacklist files might be
needed… I posted a write-up on this earlier here, but I think this one goes into better detail and is a
little easier to follow. Here are the steps I took:

1. Download the following (there may be newer versions, but definitely need db-2.7.7):

* db-2.7.7.tar.gz (http://download.oracle.com/berkeley-db/db-2.7.7.tar.gz)
* squid-2.6.STABLE5-20061110.tar.bz2 (http://www.squid-cache.org/)
* dansguardian-2.9.8.0.tar.gz (http://dansguardian.org/)
* squidGuard-1.2.0.tar.gz (http://www.squidguard.org/)
* A mail server – I use postfix (installed from Mandriva packages).

2. Unpack the downloaded files:

* tar xvfz db-2.7.7.tar.gz

* tar xvfj squid-2.6.STABLE5-20061110.tar.bz2
* tar xvfz dansguardian-2.9.8.0.tar.gz
* tar xvfz squidGuard-1.2.0.tar.gz

3. Make user, group, and firewall rules (iptables commands may appear wrapped in two lines):

* groupadd -r squid
* useradd -g squid -d /var/spool/squid -s /bin/false -r squid
* iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
* iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
* iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner exemptuser -j ACCEPT
(change exemptuser)
* iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
* iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

4. Make BerkelyDB – must be 2.x version, not newer, not older:

* cd db-2.7.7/dist && ./configure && make && make install

5. Make squid v.2-6:

* cd squid-2.6.STABLE5-20061110
* ./configure --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log
--enable-kill-parent-hack --enable-cachemgr-hostname=hostname --enable-arp-acl --enable-htcp
--enable-ssl --enable-forw-via-db --enable-cache-digests --enable-default-err-language=English
--enable-err-languages=English --enable-linux-netfilter --disable-ident-lookups --disable-internal-
dns && make && make install (this is one long wrapped command from ./configure to make
install)

6. Make squidGuard v.1.2:

 * cd squidGuard-1.2.0 && ./configure && make && make install

7. Make dansguardian v.2.9.8:

* cd dansguardian-2.9.8.0
* mkdir /usr/local/dansguardian
* ./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid
--enable-email=yes && make && make install (./configure command is wrapped)

8. Make and configure squid directories:

* mkdir /usr/local/squid/var/cache
* chown -R squid:squid /usr/local/squid/var
* chmod 0770 /usr/local/squid/var/cache
* chmod 0770 /usr/local/squid/var/logs

9. Make and configure squidGuard directories:

* mkdir /usr/local/squidGuard
* mkdir /usr/local/squidGuard/log
* chown -R squid:squid /usr/local/squidGuard/log
* chmod 0770 /usr/local/squidGuard/log
* mkdir /var/log/squidguard
* touch /var/log/squidguard/squidGuard.log
* touch /var/log/squidguard/ads.log
* touch /var/log/squidguard/stopped.log
* chown -R squid.squid /var/log/squidguard
* mkdir /var/lib/squidguard
* mkdir /var/lib/squidguard/db
* mkdir /var/lib/squidguard/db/blacklists
* mkdir /var/lib/squidguard/db/blacklists/ok
* chown -R squid:squid /var/lib/squidguard

10. Make and configure dansguardian directories:

* chown -R squid:squid /usr/local/dansguardian/var/log

11. Edit and copy configs from respective source directories:

* cp squid.conf /usr/local/squid/etc/squid.conf
* sample squid.conf settings:
o http_port 127.0.0.1:3128 transparent
o icp_port 0
o htcp_port 0
o redirect_program /usr/local/bin/squidGuard
o cache_effective_user squid
o cache_effective_group squid
o acl all src 0.0.0.0/0.0.0.0
o acl manager proto cache_object
o acl localhost src 127.0.0.1/255.255.255.255
o acl to_localhost dst 127.0.0.0/8
o acl allowed_hosts src 192.168.12.0/255.255.255.0
 o acl SSL_ports port 443
o acl Safe_ports port 80 21 443 # http ftp https
o ##acl Safe_ports port 21 # ftp
o ##acl Safe_ports port 443 # https
o ##acl Safe_ports port 1025-65535 # unregistered ports
o acl CONNECT method CONNECT
o acl NUMCONN maxconn 5
o acl ACLTIME time SMTWHFA 7:00-21:00
o deny_info ERR_ACCESS_DENIED_TIME ACLTIME
o #http_access allow manager localhost
o #http_access deny manager
o http_access deny manager all
o http_access deny !Safe_ports
o http_access deny CONNECT !SSL_ports
o http_access allow localhost ACLTIME
o http_access deny NUMCONN localhost
o #http_access allow allowed_hosts
o http_access deny to_localhost
o http_access deny all
o http_reply_access allow all
o #icp_access allow allowed_hosts
o #icp_access allow all
o icp_access deny all
o visible_hostname localhost
* cp squidGuard.conf /usr/local/squidGuard/squidGuard.conf
o change ip gateway address in squidGuard.conf
* cp dansguardia*.conf /usr/local/dansguardian/etc/dansguardian/
* sample dansguardian.conf settings:
o filterip = 127.0.0.1
o filterport = 8080
o proxyip = 127.0.0.1
o proxyport = 3128
o accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl
o mailer = ‘/usr/sbin/sendmail -t’
* sample dansguardianf1.conf settings:
o groupmode = 1
* cp getlists.sh file to /usr/local/bin
* cp etc-shorewall-start /etc/shorewall/start (change user name)
* cp etc-shorewall-stop /etc/shorewall/stop (change user name)
* cp etc-rc.local /etc/rc.local

12. Start or restart services as needed:

* chkconfig iptables on
* chkconfig shorewall on
* service iptables restart
* service shorewall restart
* /usr/local/squid/sbin/squid -z (first-time config)
* /usr/local/squid/sbin/squid -N -d 1 -D (test squid, kill when working fine)
* /usr/local/squid/sbin/squid (this also runs squidGuard from "/usr/local/bin/squidGuard")
* /usr/local/dansguardian/sbin/dansguardian
* /usr/local/bin/getlists.sh (takes a very long time, and may need to be killed and run a couple of
times)
* /usr/local/squid/sbin/squid -k reconfigure
* /usr/local/dansguardian/sbin/dansguardian -Q

13. Post-install testing and tweaking:

* test with browser – should be transparent proxy surfing now, works with lynx as well
* set up a mailer for notifications:
* used postfix, pointed it to your mailserver.isp.domain
* postfix needs /etc/postfix/transport and /etc/postfix/generic
* dansguardian.conf calls it with ’sendmail -t’ command
* for non-authenticated use, do not set ‘by user = on’ in dansgaurdianf1.conf

14. Edit squid.conf and set up time based access, to prevent late night surfing (add the following
lines):

* acl ACLTIME time SMTWHFA 7:00-21:00 (add to the ACL section)

* http_access allow localhost ACLTIME (add to the http_access section)

Final notes: This probably will not work exactly as posted, especially if you use newer versions
than I posted, so be prepared to tweak. Read through the squid.conf, squidGuard.conf,
dansguardian.conf, and dansguardianf1.conf files for other options and file locations, and refer to
the University of Google for further help with options and error messages. I had to play around with
configure options for a while before I could get squid to compile, so be ready to to the same,
depending on your setup. This all runs on a local box, which is not used to proxy any other
computers – instead, I just do not allow them to use the main computer. I sincerely hope this helps
someone secure their kids’ computers. I have set this up on a friend’s home PC as well, and they are
very happy with the results. Good luck!