Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

This how-to describes how to install and configure Dansguardian with multi-group filtering, Squid with NTLM auth, ipmasq, and dnsmasq to provide a full internet gateway solution for small to medium sized networks. This how-to requires two NICs in order to preform firewalling and transparent proxying.

Install Debian Etch with the base system only.

Configure the base system

This how-to assumes you have the following configured:

eth0 with a static or dynamic IP as the external NIC and eth1 with the static address of as the internal NIC

The base system install does not install SSH so we will do that now.

apt-get install ssh openssh-server

Now that SSH is installed you can finish the rest of this how-to
from within an SSH session if you wish.

ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load. We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.

Edit and add the following line to your /etc/apt/sources.lst:

deb sarge contrib
deb etch-backports main contrib non-free

Adding the following info in /etc/apt/preferences tells Apt to only get ClamAV from
Note: If a newer version then “0.91.2” of ClamAV comes out for Etch that fixes the bug then you may not have to preform this step.

Edit /etc/apt/preferences and enter the following:

Package: clamav
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-base
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-freshclam
Pin: release a=etch-backports
Pin-Priority: 999
Package: libclamav2
Pin: release a=etch-backports
Pin-Priority: 999

Update Apt, install some software, and configure Kerberos…

apt-get update
apt-get install debian-backports-keyring
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

You will be asked the following questions:

Note: The answers to these questions are case sensitive. You must answer them as in the example below.

Please specify the workgroup you want this server to appear to be in when queried by clients. <– EXAMPLEDOMAIN

Modify smb.conf to use WINS settings from DHCP? <– No

Kerberos servers for your realm: <– domaincontroller.EXAMPLEDOMAIN.LOCAL

Administrative server for your Kerberos realm: <– domaincontroller.EXAMPLEDOMAIN.LOCAL

dpkg-reconfigure krb5-config

And again some more questions.

Default Kerberos version 5 realm: <– EXAMPLEDOMAIN.LOCAL

Does DNS contain pointers to your realm’s Kerberos Servers? <– Yes


Configure resolvconf and dnsmasq

Many internet connections are dynamic and because of this it can cause Kerberos to fail when the DNS servers are updated by pppd or dhcp. We installed resolvconf earlier which will help us solve the problem.

Edit  /etc/resolvconf/resolv.conf.d/head and add search exampledomain.local to line 3.

DNSmasq is a small dns forwarder and dhcp server which integrates into resolvconf

We need to verify that we have the right name servers in /var/run/dnsmasq/resolv.conf
Edit it to look like the example below.

nameserver <IP of domain controller>
nameserver <IP of primary ISP DNS server>
nameserver <IP of secondary ISP DNS server>

DNSmasq’s config file needs to be modified for best preformance and security. Edit /etc/dnsmasq.conf make the nessisary changes listed below.

nano -c /etc/dnsmasq.conf

Uncomment lines 14 and 16
Uncomment line 71 and add eth0 to the end of the line.

Currently dnsmasq’s DHCP feature is disabled but if you would like to use this feature then I would suggest starting at line 100 as the DHCP options start there. There are also some advanced options for DNS starting on line 307, such as configuring MX records and the like. Many more options are available but are beyond the scope of this how-to.


Set the domain controller as the time server

nano -c /etc/ntp.conf

Comment out lines 19 through 22 of /etc/ntp.conf and insert the following on line 23:

server domaincontroller.exampledomain.local iburst


Configure Samba and join the domain

First make a copy of your /etc/samba/smb.conf and then edit it.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano -c /etc/samba/smb.conf

Enter on line 53 interfaces =
Uncomment line 59.
Uncomment line 91 and change to security = ads.
Uncomment lines 204 and 205.
Add the following lines before line 217:

winbind trusted domains only = yes
winbind cache time = 3600

Restart samba, winbind and synchronize the time with the domain controller.

net time set -S domaincontroller
/etc/init.d/samba restart
/etc/init.d/winbind restart

Now join the domain

net ads join -U Administrator

If all went well you should be able to run the following with success.

wbinfo -t

The output should be “checking the trust secret via RPC calls succeeded”

wbinfo -u

This should list all users in the domain.

wbinfo -g

This should list all of the groups in the domain.

Configure the Squid Proxy Server

Make a backup of /etc/squid/squid.conf and eddit it.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
nano -c /etc/squid/squid.conf

Change line 73 to http_port transparent
and line 74 to http_port 8080
and line 593 to cache_peer parent 8081 0 no-query login=*:nopassword.

Uncomment line 1791 through 1783 and replace <uncomment … activate> with /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp

Uncomment line 1800 through 1803 and replace <uncomment … activate> with /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic

Change line 2449 to acl ntlm_auth proxy_auth REQUIRED
and line 2579 to http_access allow ntlm_auth
and line 3161 to forwarded_for off

Now save the config file.

The last line is a very important one because if left to its default, squid will send your internal IP to every site that you visit.

Squid needs access to /var/run/samba/winbindd_privileged. We can easly fix this but the permissions will reset when we reboot. So Jesse Waters on posted a script that will set the permissions on every system boot.

Edit /etc/init.d/ and paste the following into it.

#set -x
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
case "$1" in
echo "Error: argument '$1' not supported" >&2
exit 3
echo "Usage: $0 start|stop" >&2
exit 3

update-rc.d start 21 2 3 4 5 .


Configure Dansguardian

Edit /etc/dansguardian/dansguardian.conf and comment out line 3.
Go to line 62 and change 8080 to 8081.
Change filtergroups = 1 on line 102 to filtergroups = 2 and create your group files.

cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf2.conf
nano -c /etc/dansguardian/dansguardianf2.conf

Go to line 29 and change to naughtynesslimit = 100.

Anti-Virus definitions should not be scanned as they will most definitely be blocked.

Edit /etc/dansguardian/exceptionvirussitelist and add your AV software’s definition site name to the list.
For example:

You may also want to add the domain to the site exception list too.
Edit etc/dansguardian/exceptionsitelist and add the domain.
For example:

Restart Dansguardian:

/etc/init.d/dansguardian restart


Configure the firewall

Ipmasq is a very flexible automatic firewall/router configuration utility and it is what we will use for configuring the firewall.

apt-get install ipmasq -y

To enable transparent proxying for squid we have to redirect all outgoing http requests to port 8081 as defined earlier in dansguardian. The following config file does this for us:

cp /usr/share/doc/ipmasq/examples/basics/I89tproxy.rul /etc/ipmasq/rules/I89tproxy.rul

If you have an internal server that needs ports forwarded to it then take a look at:


Install the Dansguardian Webmin module

Open a web browser to and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules. Select “From ftp or http URL” and paste the link below into the dialog box and click Install Module.

Ok now for the final tests, reboot and point your web browser to use this machine’s IP address and port 8080 for its proxy. If all goes well and your machine is joined to the domain it should automatically logon and connect to the Internet.

Keep in mind that Internet Explorer requires you to specify the domainname\username in the username dialog if NTLM fails.

Next, test another computer that is not joined to the domain and is not configured to use a proxy

Now login to Webmin and check you dansguardian logs. It should show the domain computer’s username and the site you visited earlier.

Look for the non-domain computer, notice how the IP of the domain computer has the IP of This is because the domain computer goes through squid then dansguardian then back through squid. The non-domain computer goes directly to dansguardian and then through squid.

If it does not work, check your syslog for errors.