An Internet Without Ads

This document explains how to configure squid, adzapper, and iptables in order to eliminate the download of internet ads while using the internet. I use apt-get on all the machines I own. If you don't use a Debian derived distro (e.g Ubuntu), you are expected to know how to install the software packages for your distibution.

But before we begin you need to decide where you will setup your web cache / ad filter. If you use a Linux desktop and only want to filter your own traffic you can setup these tools on your local machine. If you want to filter your entire network, you need to set this up on your gateway.

Installing the software

The packages you will need are squid, adzapper, and iptables. You can install these, as root, by typing:

apt-get install squid adzapper iptables

If you are prompted to download dependencies, say yes.

Configuring Squid

Next, open the file /etc/squid/squid.conf in your favorite editor. You will need to be root to open this file. Search for the string redirect_program. You should find a comment block that describes this option. Directly below this comment block, add this line:

redirect_program /usr/bin/adzapper.wrapper

Next, search for the string httpd_accel. This should bring you to the section of the config where the following lines belong. Place each below its relavant comment.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

That's it for the squid config. Save the file.

Iptables Config

The following iptables command will force http requests to go through squid. If you already have a firewall configured on your box, you will need to add these rules to your existing firewall. If not, I will provide instuctions for getting these rules to load when your network interface comes up.

These rules will be different, depending on whether or not the squid daemon is running on the same machine that you surf the internet from. I will often setup a gateway router with squid on it in order to cache web access for all machines on the network (including Windows machines). I provide two different sets of rules below. The first set is for a local squid install. The second set is for a gateway squid install.

Local Squid

The following line should be typed on a single line. Replace your_user_name with the name of a user that should use squid. Repeat this line with different user names if there are multiple users on the machine.

iptables -t nat -I OUTPUT -m owner --uid-owner your_user_name -p tcp --dport 80 -j REDIRECT --to-ports 3128

This command tells iptables to redirect traffic from port 80 to port 3128 when the packet is locally generated by a process owned by your_user_name. Squid is listening on port 3128 and will service your request. It requires the owner iptables module. Your kernel needs to have support for this module compiled in, or this won't work. Most kernels from vendors these days have all of the iptables modules compiled, so this should not be a problem.

Gateway Squid

If you configured Squid and Adzapper on your gateway, the following iptables commands (also on your gateway) will force outbound web traffic through squid.

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

The first command tell iptables to redirect packets that are not locally generated, and come in on port 80, to port 3128, where squid is listening. The next two lines tell iptables to allow remote connections to port 3128. You will need to change "eth0" to be the interface connected to your LAN. The last three lines allow squid (and other programs running on the gateway) to use http and dns. N.B. additional steps are required to secure this box for use as a gateway firewall. These rules are beyond the scope of this tutorial.

A Quick and Dirty Iptables Script

Unfortunately, the iptables rule will disappear the next time the machine is rebooted. Here is my simple solution. Unfortunately, this method requires a Debian derived distribution. With the appropriate rules above loaded into iptables, type:

iptables-save > /etc/network/fw

Next, edit /etc/network/interfaces, and add a pre-up line, as follows.

...
iface eth0 inet static
pre-up iptables-restore < /etc/network/fw
address 192.168.0.x
...