Network Adblocking using Squid, SquidGuard, and IPtables

I originally discovered Adblock Plus when I first downloaded Firefox many years ago. Since then I’ve installed the Adblock plugin right after Firefox, etc. It’s become so standard that I almost think Firefox should just bundle them together. Including it in it’s default install exe.

Adblock Plus works as if it were a local content policy,  filtering each request you make with Firefox. Each URL, each domain, each link you navigate to is check based on a static blacklist of expressions and URLs. If a match is found, Adblock Plus simply discards the content from rendering. The discarding and allowing content to load is managed by the Content Policy engine within Firefox. Adblock Plus simply utilizes this in order to block the unwanted contents. Or at least this is my comprehension of how it works. :-p

Setting up your own Network wide Adblocker

The purpose of this guide and tutorial is to instruct you on how to set up your own network based adblocker. Expections after completion is every client browser on the network will benefit from adblocking. I will include as much as possible, and feel free to ping me with questions or comment down below.

You will need:

  1. Computer that will be running the Web Proxy. (For this article, see specs below)
  2. OS that will host the Proxy Software. (For this article, Ubuntu 12.04 32-bit Server)
  3. Proxy software that allows rewrite engines/programs. (squidGuard)
  4. Content-Control-Software or URL Redirect Application(This will consume your blacklists)
  5. URL and RegExp Blacklists consumable by your Content-Control-Software (Here are some free ones)
  6. Optional: ipTables for transparent proxy redirection
  7. Patients and enthusiasm :-p

Step 1: Installling OS and software

  1. Spec’ing out your hardware. Keep in mind your sizing and scope of clients you will be serving
    For this tutorial I used the following:
    –Dual Core -Intel(R) Xeon(TM) CPU 2.66GHz 32-bit
    –4GB DDR RAM
    –320GB SATA HD
    –Dual 10/100/1000 NIC
  2. Download a ISO copy of Ubuntu or Debian.
  3. Install Ubuntu, for tutorial see here.
  4. Make sure you are a sudo users or have root access, needed for the next steps.
  5. After Install update your system to the latest via
  6. Next install squidProxy
  7. Install squidGuard from the repositories
    <
  8. Setting static IP address on the server. Do a ifconfig eth0 to figure out what your current IP is. Mine was 192.168.0.113. We will assume this is a /24 network, so pick a lower number for the last octet. I chose 192.168.0.5. Reason for this is out side the scope of this article. Perform the static ip address config.
    Add the following in
  9. Restart network interfaces. Make sure you are local, you will lose remote access!!.
  10. Check ifconfig eth0 you should have 192.168.0.5(or the IP you picked).

***The base installation is now complete and we are now ready to configure our service applications!

Step 2: Configuring squidProxy

  1. Make a copy of your default config file.
  2. Null the squid.conf file.
  3. Edit the squid.conf vith vi and paste the following lines.
  4. Next start the service up.
  5. If you encounter any issues or error message, check the syslog
  6. TEST with Firefox. Go into Firefox settings –> Connection Settings. Enter in the IP address and Port of your proxy server. Similar to this Try to browse to some sites like Google, MSN, Facebook, etc. Ensure you can get to them. Next, to make this a thorough test and ensure you are connecting through the proxy. Go back to your Proxy server’s terminal. Enter the following to turn off the proxy service.

    After that completes try to navigate and browse on the client machines. You should get an error.

***Congratulations you have successfully set up your first Proxy Server with squidProxy!!!

Step 3: Configuring squidGuard and Blacklists

  1. Make a backup of the squidGuard config file.
  2. Grab a blacklist from here.
  3. Uncompress.
  4. This Uncompresses the folder structure for all the blacklists categories, i.e. Ads, Porn, Gambling, etc. We are only concerned with Ads, so grab it’s path.

    COPY this path, need it for later.
  5. We have to make these blacklists readable by the user that squid runs as.

    I had to use the permission bits of 750, it was the only permissions that would allow squid to read the blacklists. I put a 0 at the end because I don’t want the list readable by any other users on the system.
  6. Now time to edit the squidGuard.conf file.
  7. Now add the squidGuard specific’s to the squid.conf file, so the main squid process is aware of squidGuard. Add these lines to the end of your squid.conf file.
  8. Initialize the squidGuard database files, to consume the blacklists you just downloaded. Needs to be done everytime you update the list.

    Should be fairly quick, if it hangs, squidGuard probably cannot read the blacklist directory. Check your syslog.
  9. For the next step I recommend having two terminal windows open to your proxy server. This will make it easier to tail the logs when you try to start it for the first time.
  10. Restart squid3 to pick up the new configuration items(i.e. squidGuard) Make sure you tail your syslog with the other window.

    In your squidGuard log you should see the following lines:

    You will also see in the log how it loaded the dbfiles you defined in your squidGuard.conf file.
  11. Testing. Ensure your client’s firefox still has Connection Settings pointing at your proxy server. Now browse to a website that has a lot of ads. I suggest p2p sites, usually utilize a crap load of ads.

***Congratulations you have protected your network from ADs!!!

Optional Step 4: Transparent Proxy Redirection via iptables (optional)

    1. This next section assumes you have a working IPTables setup, with a Router/Firewall at 192.168.0.1 and a Proxy Server at 192.168.0.5
    2. Need to add two statements.
    3. ***NOTICE We are only specifying port 80, not 443!

Port 443 bypasses the proxy as we are not doing SSL Interception.

  • Now we must tell squidProxy about the transparency. Find the line http_port and add transparent to the end of it.
  • Remove Firefox proxy settings in Connection Settings.

***Congrats you are now transparently redirecting all port 80 calls to your proxy server.
Sources:

There are 7 comments left Go To Comment

  1. m /

    Fantastic. I had already setup squid transparently over the weekend, and this worked for setting up squidguard, with a few variations: my squid install directory was squid, not squid3 and the squidguard.conf edit (a) domainlist blacklists/ads/domains & urllist blacklists/ads/urls should be [folder you copied from pwd]/ads/domains .. & (b) the blacklist source you gave has no expressions (so comment that line out). Finally, Step 4 needs to happen on the router, correct?

    1. thejimmahknows / Post Author

      Correct. the IPTABLES portion takes place on your router, if you are using IPTABLES. This can be done on other Firewal platforms as well.

  2. Benjamin E. Nichols /

    Hello, I was just reading this (http://ispltd.org/server_guides:squid_black_list) and thought I would take the time to write a short note to inform you all that we offer blacklists tailored specifically for Squid proxy native acl, as well as alternative formats for the most widely used third party plugins. So we invite you all to check us out. We take a great deal of pride in the fact that our works offer a higher degree of quality than the freely available options. Our lists are also compatible with UrlFilterdb.

    Quality Blacklists Tailored For Squid Proxy – http://www.squidblacklist.org

  3. Pingback: Installare SquidGuard | lupoalberto12's blog /

  4. Pingback: Apple pulls mobile ad-blockers over security issue | TeleRead /

  5. Azeez /

    Thanks for the tutorial but during my setup, after step 2, my browser says ‘firefox is configured to use a proxy server that is refusing connections.’ Please assist. Thank you

    1. thejimmahknows / Post Author

      Step 2 simply blanks the squid.conf file so you may paste in the contents of step 3. Try that and let us know. Thanks!

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.