Kleine Heim-Firewall mit Werbe-Blocker und Tor-Tunnel
Achtung: Das ist schon ein wenig älter und basiert auf dem Raspbian Stretch Image.
Neue Version ist in Arbeit.
raspberry pi as home firewall with basic privacy enhancements
-------------------------------------------------------------
device is intended to work behind your providers internet router and will
provide *basic* protection from tracking, ads and eavesdropping/filtering
your dns and http requests and a very basic firewall ruleset. it just needs
to be connected to your providers router via ethernet. you may then connect
via wifi or (optional) ethernet to the network it provides.
please keep in mind, that you still need additional measures to achieve a
reasonable level of protection and privacy on the net. these inculde
- a fully patched client device (regardless which os you use - update as often as possible)
- consider using virtualbox or kvm/qemu to install a dedicated linux vm for web browsing
- if you want to use email, get a dedicated mail account (protonmail for example) for web activities
- consider using pgp for sensitive communication (private email)
- you may restrict exit nodes to a few you consider trusted (https://2019.www.torproject.org/docs/tor-manual.html.en)
- dont use social networks like facebook
- dont use google for searching
- you may want to use other forwarders. see https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
attention: this is just a kind of braindump and config is not complete in any way.
but basically, this setup is tested and works.
attention, once again: does not work without modifications with buster based raspbian releases!
also, there is intentionally no admin interface except the one, pihole supplies.
use the command line! ;)
needed hardware:
- raspberry pi 3 b+ (+case +power supply)
- micro sdcard (4G should be enough, but speed matters)
optional, if ethernet is needed on the internal network:
- usb ethernet adapter (i used a linksys usb 3 gigabit device)
- ethernet switch
for configuration:
- a hdmi capable display device (or appropriate adapter)
- a usb keyboard
flash latest raspbian (this guide is based on the stretch image) to sdcard and plug it into your raspi.
after booting up, change password and configure system using sudo raspi-config:
- enable ssh server
- set location and timezone
- set wifi country
install software:
-----------------
sudo apt-get update
sudo apt-get -y dist-upgrade (reboot)
sudo apt-get -y install unbound dnsutils ferm hostapd ethtool bridge-utils tor
sudo apt-get remove dhcpcd5
optional: rename interfaces
---------------------------
- create a link file in /etc/systemd/network/ for every ethernet interface
- content :
[Match]
MACAddress=00:11:22:33:44:55 (mac address of ethernet device)
[Link]
Name=eth0
- create /etc/systemd/network/99-default.link
- content:
[Link]
NamePolicy=kernel database onboard slot path
MACAddressPolicy=persistent
- see https://www.freedesktop.org/software/systemd/man/systemd.link.html
configure bridge (if ethernet is needed)
----------------------------------------
sudo brctl addbr br0
sudo brctl addif br0 eth1
note: you dont have to configure the bridge if you dont use ethernet on the internal side.
but you will have to replace br0 with wlan0 within interfaces, pihole, hostapd and firewall configuration
configure interfaces (/etc/network/interfaces):
-----------------------------------------------
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
dns-nameserver 127.0.0.1
auto br0
iface br0 inet static
address 192.168.0.1
netmask 255.255.255.0
bridge_ports eth1 wlan0
enable forwarding (/etc/sysctl.conf):
-------------------------------------
net.ipV4.ip_ip_forward = 1
configure firewall (/etc/ferm/ferm.conf):
-----------------------------------------
@def $INT_NET = ( 192.168.0.0/24 );
@def $INT_IP = ( 192.168.0.1 );
@def $INT_IF = ( br0 );
@def $EXT_IF = ( eth0 );
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow dhcp
interface $INT_IF proto udp dport ( 67 68 ) ACCEPT;
# allow access from internal net
interface $INT_IF saddr $INT_NET ACCEPT;
# default deny
proto ( tcp udp ) REJECT;
}
chain OUTPUT {
policy ACCEPT;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# internal network to internet
interface $INT_IF saddr $INT_NET ACCEPT;
# default deny
proto ( tcp udp icmp ) REJECT;
}
}
table nat {
chain PREROUTING {
interface $INT_IF saddr ( $INT_NET ) daddr $INT_IP proto tcp dport 80 REDIRECT to-ports 80;
interface $INT_IF saddr ( $INT_NET ) proto tcp dport ( 80 443 ) REDIRECT to-ports 9040;
}
chain POSTROUTING {
saddr ( $INT_NET ) outerface $EXT_IF MASQUERADE;
}
}
configure hostapd (/etc/hostapd/hostapd.conf):
----------------------------------------------
interface=wlan0
country_code=[code]
driver=nl80211
bridge=br0
ssid=[ssid]
hw_mode=a
channel=36
wmm_enabled=0
wpa=2
wpa_passphrase=[passphrase]
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0
ignore_broadcast_ssid=0
/etc/default/hostapd:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
configure unbound (/etc/unbound/unbound.conf.d/caching.conf):
-------------------------------------------------------------
server:
access-control: 127.0.0.0/8 allow
interface: 127.0.0.1
port: 1053
hide-identity: yes
hide-version: yes
minimal-responses: yes
do-tcp: yes
do-ip6: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
ssl-upstream: yes
use-caps-for-id: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 # quad9.net primary
forward-addr: 1.1.1.1@853 # cloudflare primary
forward-addr: 149.112.112.112@853 # quad9.net secondary
forward-addr: 1.0.0.1@853 # cloudflare secondary
install pi-hole
---------------
sudo curl -sSL https://install.pi-hole.net | bash
configure dnsmasq (/etc/dnsmasq.conf):
--------------------------------------
except-interface=eth0
bind-interfaces
conf-dir=/etc/dnsmasq.d
configure pi-hole
-----------------
- use pihole -r -> configure
- configure br0 as listening interface
- set pihole admin console password: pihole -a -p
- login to pihole admin console (http://192.168.0.1/admin
- configure dns server: settings -> dns -> custom -> 127.0.0.1#1053
- configure dhcp: settings -> dhcp -> enabled
optional:
- disable logging: settings -> system -> disable query logging
- set paranoid mode: settings -> privacy
- activate DNSSEC: settings -> Use DNSSEC
configure tor (/etc/tor/torrc)
------------------------------
Log notice file /var/log/tor/tor-notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.0.1