Monday, April 14, 2008

Transparent Proxying with Shorewall, SQUID and Privoxy on Ubuntu

note: This article is intended for a technical audience -- and while it seems to works for the two systems i've tried it on since, you should use caution when modifying a production system -- caveat emptor.

A 'remember these for later brain' post, mainly because I always forget the order when I haven't done it for a while.

note:, you can do this with any distribution -- Ubuntu Server works and I use that, but you can substitute the names of your distributions packages instead and still get much the same result.

First, having installed Ubuntu Server, you'll need the universe repository, as privoxy isn't officially blessed by the Ubuntu maintainers.

Next, you'll need to install the various packages you'll need to make this fly -- as root, run:


apt-get install squid privoxy shorewall


After that's done, you'll want to make SQUID work first -- using Ubuntu 8.04, this entails opening the default SQUID configuration at /etc/squid/squid.conf and:



  1. Adding transparent to the port configuration by changing:

    --- http_port 3128
    +++ http_port 8080 transparent




  2. Adding your {W/L}AN block to the ACL list by adding:

    +++ ACL local_network src 192.168.0.0/24

    ... and enabling it in the http_access list by adding:

    +++ http_access allow local_network




Save the configuration and exit the editor.

Now restart SQUID with: /etc/init.d/squid restart to have your changes take effect.

At this point, configure a browser to use a manual proxy on the server's IP address on port 8080 and make sure it actually works, if you receive an error that talks about Access Control Lists, check that you added the right network mask to the SQUID local_network line you added above.

If that works, we can move on to the Privoxy part of things. Privoxy, for those who are unaware is one of the best 'web-crud(tm)' filters i've ever had the pleasure of using, it was originally built from the Internet Junkbuster (IJB) but has now got many more features, is stable on pretty much any platform for a wide-variety of users and protects your privacy too.

By far, the easiest way to configure Privoxy is via the web-interface, but the Ubuntu package disables that by default, so before we hook it up to SQUID, we should enable that.

Open the /etc/privoxy/config file and make the following changes:



  1. Enable editing of actions via the web interface by changing:

    --- enable-edit-actions 0
    +++ enable-edit-actions 1




Save the configuration and exit the editor.

Now restart Privoxy with: /etc/init.d/privoxy restart to have your changes take effect.

Now, we need to hook Privoxy up to our proxy as the default parent cache -- you'll need to open the SQUID configuration file again and make the following adjustments:

note: If you haven't done so already, it's a good idea at this point to make a backup copy of your /etc/squid/squid.conf file before making these changes.



  1. Adding Privoxy as a cache peer by changing:

    +++ cache_peer 127.0.0.1 parent 8118 0 no-query no-delay no-digest no-netdb-exchange


    note: because Privoxy cannot influence any of SQUID's cache settings, setting no-query no-delay no-digest no-netdb-exchange as options for the peer cache lessens the delay between Privoxy filtering the transaction and SQUID caching it of up to a second on slower hardware (for example, a Pentium 4 1.2Ghz machine with 1GB of memory).



  2. Telling SQUID to always send traffic from the firewall directly to the internet by changing:

    +++ always_direct allow localhost




  3. Telling SQUID to never send traffic from the local LAN (thereby forcing users to use the Privoxy/SQUID cache) directly to the internet by changing:

    +++ never_direct allow local_network




Save the configuration and exit the editor.

Now restart SQUID with: /etc/init.d/squid restart to have your changes take effect.

Finally we need to add the rules for transparently using our proxy to our Shorewall Firewall Configuration -- you'll need to open the Shorewall rules configuration file and make the following alteration:

note: For the purposes of simplicity, i'm assuming that your WAN interface is eth0, your LAN interface is eth1, your LAN IP range is 192.168.0.0/24 and your Shorewall configuration is already complete (for some reason I still don't fully understand, the Debian and Ubuntu packages don't ship with a default configuration file, so if you don't see a /etc/shorewall/rules file, you'll need to download one, or grab a prefabricated copy from the /usr/share/doc/shorewall directory and set it up first.



  1. Adding a redirection to our transparent proxy by changing:

    +++ REDIRECT     loc     8080     tcp     www     -
    +++ ACCEPT     $FW     net     tcp     www




note: the minus (-) with the trailing space at the end of the redirect line is important, it means it will ignore the source port when working out the request and force any already established request to continue to use the proxy.

Save the configuration and exit the editor.

Now restart the Shorewall Firewall with: /etc/init.d/shorewall restart -- fire up a browser, make sure it is not configured to use a proxy (ie. it uses a direct connection to the internet) and browse to your hearts content.

Thursday, April 10, 2008

Australian'ising Epiphany's Keyword Search

As part of the upgrading process to the new Ubuntu LTS release -- I found my default search engine had been reset to http://www.google.co.uk rather than http://www.google.com.au in Epiphany.

Everything else about Epiphany's default setup is Australian, the language defaults are en-au and the languages are set correctly, but the keyword search isn't.

Fortunately, this is easy to change.

First, fire up your browser and type about:config into the location bar, which should take you to the configuration screen -- consisting of a filter box and a larger portion containing all of the relevant tweakable parameters.

In the filter textbox type: keyword.URL it should be a User Set, String value (in bold) that looks like the screen below:



Now, if you right-click the bold text and select modify you should get a textbox appear in the center of the screen, simply use the keyboard or mouse to select and remove the .co.uk section of the highlighted URL and enter .com.au instead -- and press OK to return to the configuration menu.

At this point, the screen should look like the one below:



Now just restart Epiphany and do a search, the browser should now (correctly) take you to Google Australia's search.

Tuesday, April 8, 2008

OpenOffice 2.4's Compatibility with Microsoft Word 2000-2007

After yet-another virus outbreak at my better half's university -- I set about installing Linux on her machine, overwriting the old Windows 2000 with Word 2003 setup that i've re-installed, patched and registered no less than four times in the last six months.

Two weeks in, she's mostly satisfied -- but there's sticking points with OpenOffice and the compatibility with Microsoft Word.

Thankfully, there's some cute things you can do to to improve the look and feel of OO.o under Linux.

note: This has been tested with Novell's version of OpenOffice (currently 2.3) and Ubuntu's Hardy version (currently 2.4.0) -- milage shouldn't, but may vary on other platforms.

Overall Document Compatibility

First of all, open OpenOffice Writer and find the Tools / Options menu.

Then select OpenOffice.org Writer from the left-hand menu -- your screen should look something like the screenshot below:



Next, choose Compatibility, your screen should look like:



Now, to obtain decent compatibility with Word 2000/2003/2007 make sure these options are checked:

  • Use printer metrics for document formatting
  • Add spacing between paragraphs and tables (in current document)
  • Add paragraph and table spacing at tops of pages (in current document)
  • Do not add leading (extra space) between lines of text
  • Add paragraph and table spacing at bottom of table cells
  • Consider wrapping style when positioning objects
  • Expand word space on lines with manual line breaks in justified paragraphs

When you've finished, your screen should look like:



Finally, to set these options as default -- simply click on the Use as Default button, then the OK button to return to the program.

Microsoft-Sized Margins

The next query had to do with the margin size in OpenOffice, which I personally like -- but university lecturers take umbrage with, so we'll alter those to be more compatible with their Microsoft brethren, which has the added side-effect of being WYSISYG to most extents when the document is printed via Word.

To do this, we need to make alterations to the default template. I'm presuming you're starting with a blank document on the screen, just by the way.

First of all, find the Format / Page menu -- your screen should look something like the screenshot below:



The default margin sizes in OpenOffice are 2cm (two centimetres -- or around 0.78 inches for US readers)

Whereas, the default margin sizes in Microsoft Word 2003 are 3.81cm (1.5 inches) for the top and bottom margin and 2.54 cm (1.0 inches) for the left and right ones, so you need to alter the Left, Right, Top and Bottom margins on this page to match the screenshot below:



Now that we've modified our blank page to be more Word Compatible at the expense of being less tree friendly, we can now save it for use as a template.

Find the File / Templates / Save... menu, your screen should look something like the one shown below:



There will be a text field you can edit called "New template". Enter "Microsoft Word Compatible" or a similar defining name here.

Below the edit box is a section titled Templates for organizing a lot of templates if you had many that you used. Given we are only modifying a single template, leaving it under the My Templates category is fine.

Finally, press OK to save it.

At this point, OpenOffice will continue to use the default margins, If you would prefer to set these margins as your default template for whenever you make a new document there are a few extra steps to follow:

First, go to the File / Templates / Organize menu and double click on the "My Templates" folder.

Under the directory, your "Microsoft Word Compatible" template that you created should appear. Right click on it and select "Set as Default Template" -- your screen should look similar to:



Now press "Close" to exit the dialogue and return to OpenOffice, from this point on -- all new documents will use Microsoft Word compatible margins and page-widths by default.

Speedier Startup

Not that it's really anything to do with compatibility, but if you don't use the Java components in OpenOffice on Linux (ie. you have no JDK installed) you can save a few seconds start-up time and have a snappier interface by turning the java components off, to do this, go into the Tools / Options menu.

Then select Java from the left-hand menu and uncheck the Use a Java Runtime Environment box.

Close OpenOffice and re-open it for a much speedier environment.

Wednesday, April 2, 2008

Streamlining the Ubuntu Boot Process

note: This article is intended for a technical audience -- and while it seems to works for the two systems i've tried it on since, you should use caution when modifying a production system -- caveat emptor.

Not-so-simple one line fix that shaves a good 5-10 seconds off the boot up time of a 1.8ghz HP Notebook machine.

Open a terminal and use sudo with your favourite text editor to edit the /etc/init.d/rc file, eg.

sudo vim /etc/init.d/rc

Then, around line 24, change:


--- CONCURRENCY=none
+++ CONCURRENCY=shell


Save the file, then the next time you reboot -- Ubuntu's base bootup speed will be even more similar to a Microsoft operating environment than ever before.