Pass all traffic between two NICs

[abishur]

I've added a second NIC to my pi and would like to use it as an internet filter, it will sit between my ISP's ultra powerful (if we hadn't removed all its features before giving it to you) router, and the router I bought that is actually useful. I would like for it to blindly pass all traffic that isn't web browser stuff from one nic to the next and let my router's firewall handle all that jazz, but I'm not sure if such a thing would be possible. I guess what I'm thinking is for it to grab http traffic and setup a DMZ to handle all the other stuff. That would keep it secure (as any attempt to directly communicate with it would be sent to the DMZ of my secure router) while still letting it filter web traffic.

Is that something iptables can do? I confess I'm not overly familiar with how to use iptables. Honestly if there was a web interface I could make use of to look at iptables as if it were a router I would not mind going the lazy route

It would appear I've come to a bit of a solution while writing this post, but I'd still appreciate feedback

[JustThisGuy]

You need to look at Firewall Builder. http://www.fwbuilder.org/index.html

I've used it before and to setup what you're talking about would be fairly simple.

[abishur]

I saw that one, but it looks like I have to enter the gui to modify it. Ideally I won't have to modify it once I set it up, but I would like something with a little more flexibility. Also, I'd prefer not to have to enter a gui on the pi itself to set it up or have it run (otherwise I'd use Firestarter)

I did some light research today and think that shorewall with webmin set up is a strong contender for what I'm looking for. It would provide an easy to use GUI via a web interface from another computer. This would let me to easily adjust it as need be in the future, a simplified method of editing iptables, and frankly I think webmin is fairly cool anyway so it's win-win for me Thanks though!

[poing]

Why would the Pi have to process all the traffic? Simply attach both Pi with website and your own router to the ISP router and use the firewall of your own router to guard your network. You won't need the second NIC then. And if you run MySQL for your website on the Pi then put it behind your firewall on a different box/Pi, not on the exposed Pi; much more secure.

[abishur]

The reason I want it to do everything is in order to do transparent web filtering that can't be bypassed. If I do a redirect based on port 80 and 443 then a simple change of the default port will be sufficient to bypass it. But if I put it in the middle and make everything go through it, then changing the port number will result in the loss of web browsing traffic.

[gordon@drogon.net]

The reason I want it to do everything is in order to do transparent web filtering that can't be bypassed. If I do a redirect based on port 80 and 443 then a simple change of the default port will be sufficient to bypass it. But if I put it in the middle and make everything go through it, then changing the port number will result in the loss of web browsing traffic.

If you want to make the Pi a transparent filter between 2 routers, then this is very possible. You don't route, but you switch. Look up bridges. (brctl, etc.) You take the 2 Ethernet ports and turn them into a bridge - which is effectively a 2-port Ethernet switch. Then you can filter traffic using the normal iptables and so on bound to the Interfaces - you don't even need to assign an IP address to each interface (in-fact you can't), but you can assign an IP address to the bridge interface - if needed.

However... You can't readilly intercept https/port 443 traffic. You can check the IP target address, but not the URL (because that's encrypted) - not unless you force a new client certificate on all clients, and that then gets tricky.

Personally, I'm not sure the Pi is the right tool for this job - while Linux handles this trivially, the Pi's hardware is somewhat limited - One USB interface and it's half duplex - I fear that even with moderate Internet speeds the Pi might well become a bottleneck to the whole process...

-Gordon

[abishur]

The reason I want it to do everything is in order to do transparent web filtering that can't be bypassed. If I do a redirect based on port 80 and 443 then a simple change of the default port will be sufficient to bypass it. But if I put it in the middle and make everything go through it, then changing the port number will result in the loss of web browsing traffic.

If you want to make the Pi a transparent filter between 2 routers, then this is very possible. You don't route, but you switch. Look up bridges. (brctl, etc.) You take the 2 Ethernet ports and turn them into a bridge - which is effectively a 2-port Ethernet switch. Then you can filter traffic using the normal iptables and so on bound to the Interfaces - you don't even need to assign an IP address to each interface (in-fact you can't), but you can assign an IP address to the bridge interface - if needed.

However... You can't readilly intercept https/port 443 traffic. You can check the IP target address, but not the URL (because that's encrypted) - not unless you force a new client certificate on all clients, and that then gets tricky.

Personally, I'm not sure the Pi is the right tool for this job - while Linux handles this trivially, the Pi's hardware is somewhat limited - One USB interface and it's half duplex - I fear that even with moderate Internet speeds the Pi might well become a bottleneck to the whole process...

-Gordon

On the https thing, I thought in the past I had done this with squid/dansguardian, but it was probably just making sure traffic over 443 was actually secure and denying it if it wasn't. It might have also been providing a method for url blocking of proxy bypass sites.

I'm not worried about internet speeds. This won't be affecting internal network traffic just regular web traffic. I live in the United States and as such have to endure some of the worst cost to bandwidth ratios in the world (thank you US government for breaking up the phone companies with those anti-trust laws only to turn around and pay them billions to "upgrade their infrastructure" which meant buy back all those little companies back into one giant company... but I digress), which means I'm doing something like 15/5 Mbps and paying outrageous amounts of money to do so. So even if I was maxing this out I'm looking at 20 Mbps. Let's say that since I'm doing duplex over 2 devices I actually end up decreasing the total speed by 8 so 480 divided by 8 is still 60 Mbps.

Theoretical bits aside, my initial testing seems to be going well. I haven't set up the web filter yet, but just raw data throughput is just fine. I do agree with your basic principal though, and I would much rather prefer a magical device that would let me hook an ethernet jack up to one of the high speed interfaces of the pi rather than add a second USB to ethernet adapter. Of course, what random devices I've seen that make use of a secondary interface on other boards tend to be rather prohibitively expensive, and usually not very fast.

[ElWilliaM]

@abishur, have you checked out webmin? The stock webmin from the Raspbian repositories includes a beautiful web interface for controlling iptables. I think it is easier to use and more powerful than any other linux firewall tool I've used. Just install webmin, log into your Pi from a web browser https on port 10000, click on the network heading in the pane on the lefthand side of the page, and click Linux Firewall. There are webmin modules for dansguardian and squid too. I have my Pi in router configuration transparently intercepting and filtering all http traffic that goes through it. You could probably set it up as an ethernet bridge too, but I thought the IPTables stuff was simpler in router mode. I actually have made a completely web-administerable internet filtering router out of my Pi using webmin, and I think my internet is actually faster now. (the squid-cache helps. btw, You think YOU have bad internet?!? Western Canada has better internet than eastern Canada: mine is 9mbps down, 500kbps up)

[Cloudcentric]

Webmin is not in repositories has to be installed manually http://www.webmin.com/deb.html

[abishur]

I actually have made a completely web-administerable internet filtering router out of my Pi using webmin, and I think my internet is actually faster now. (the squid-cache helps. btw, You think YOU have bad internet?!? Western Canada has better internet than eastern Canada: mine is 9mbps down, 500kbps up)

I'd be very interested in what software you ended up going with to do the web-administerable filtering. This project got bumped down the totem pole of priorities for me I fear (the pi I was using was repurposed for a sprinkler controller ), but it's still something I am *immensely* interested in.

Ouch about the internet! I fully admit that there are worse speeds out there, it's just a bit of a soap box issue for me since we literally dumped all this money into upgrading the infrastructure and have even levied a tax for its ongoing maintenance, but it was largely misappropriated. See? It's definitely a soap box issue for me

[ElWilliaM]

Webmin is not in repositories has to be installed manually http://www.webmin.com/deb.html

Oops, my bad about the repositories, I did get webmin from the webmin site, not the raspbian repository.
The dansguardian webmin module comes from the dansguardian-webmin project on sourceforge

I hope this helps out. I created my setup with small schools and homes that need full-network filtering but cannot afford and do not need more powerful products such as Smoothwall Guardian. As all this is a little complicated to do, I created a pre-configured web-managed Pi image with non-linux tech's in mind. I don't have any web hosting services at my disposal, however, so if someone wants me to send them my image so they can make it available online, that would be great. For those of us with the technical skills, however, here's how I did it.

My Pi is a Model B, I am using an 8 GB class 10 SDHC card, and a trendnet USB ethernet adapter from amazon.com - I haven't got wifi on it, as I have a good Wifi Access Point already, and it would be more complicated to set up with wifi.

For Firewall, I used IPTables; Proxy, squid; Filtering, dansguardian; DHCP and DNS, dnsmasq; Web Administration, webmin (www.webmin.com), and dansguardian-webmin (sourceforge.net/projects/dgwebminmodule/)

Network configuration: The builtin ethernet port is my external interface (eth0). The USB port is my internal interface (eth1). eth0 is dhcp. Eth1 is static, IP address 10.0.3.1 netmask 255.255.255.0 - no default gateway!!! I had set the default gateway on the internal interface to itself, but the computer made that the default route instead of the gateway gotten by dhcp on the external interface, so DO NOT set a default gateway on eth1!!!

DNSmasq configuration: I set DNSMasq to forward upstream requests to OpenDNS nameservers, and ignore the nameservers gotten by DHCP. I then linked my network location with an account on OpenDNS. This way website filtering gets done even on https requests. The DHCP server on dnsmasq is set to only serve eth1 (10.0.3.1) and serves address range 10.0.3.14 - 10.0.3.254 leaving 10.0.3.2 - 10.0.3.13 open for static IP addressing.

Filter - dansguardian should work with its standard settings, listen on port 8080, connect to squid on port 3128, no authentication. Filtering can be set up from the web interface once the dansguardian-webmin module is installed into webmin. As OpenDNS does not filter advertisements, I imported the ads category from shalla's lists (shalla.de) which are free for noncommercial use.

Proxy - squid with standard settings (no authentication), but change the line
http_port 3128

to

http_port 3128 transparent

this allows squid to act as a transparent proxy. Also, it would be a good idea to let squid cache
webpages. I'm on an 8 gig SDCard, I'm using a 4 gig squid-cache, so in squid.conf:

cache_dir ufs /var/spool/squid 4000 16 256

This initializes a 4000 MB web cache in /var/spool/squid

Finally, set squid to use dnsmasq on localhost as the nameserver rather than the nameservers in resolv.conf gotten from dhcp.

dns_nameservers 127.0.0.1

Firewall: IPTables configured via Webmin
In the "filter" table in IPTables - webmin I set the firewall to block all incoming connections from the external network (eth0) except those related to existing connections and only accept new connections from eth1 on certain ports e.g. 110 for POP3. I set IPTables to allow all new connections originating on the loopback interface (lo) and to allow connections to the Pi from the internal network. In the "nat" table's "PREROUTING" section I set it to do Destination NAT (DNAT) on incoming connections on port 80 and redirect them to port 8080 on the Pi, thus redirecting all http requests through dansguardian and squid. I also set it to redirect all requests on port 53 to port 53 on the Pi, to send all DNS requests through dnsmasq on the Pi, and hence through the OpenDNS servers.

[squidvid]

I created a pre-configured web-managed Pi image with non-linux tech's in mind. I don't have any web hosting services at my disposal, however, so if someone wants me to send them my image so they can make it available online, that would be great.

Did this Pi image get posted anywhere? I'd love to use it.

[ElWilliaM]

My Pi image acts as a network router with transparent squid-caching, dansguardian content filtreing, and connection to the OpenDNS filtered DNS service.
Ok, I posted my Raspberry Guardian image to dropbox:

https://www.dropbox.com/s/uq4ezoq2hurn6 ... ha2.img.7z

A quick tutorial:
1. You will need: Your Raspberry Pi, an 8 GB SDCard, and a USB Network Interface Card (NIC)
2. Decompress the image using 7zip and put it on your SDCard your favourite way. I use dd. Load the SDCard in the Pi's SDCard slot.
3. Attach the USB network adapter to your Pi. This will be your internal interface.
4. Connect your wifi router, or switch's uplink port to the USB network adapter's port with a patch cable.
5. Attach the ethernet cable from your cable/dsl/satellite/other broadband modem or router to the Pi's builtin network jack.
6. Power your Pi on! Give it about 5 minutes to start (to be safe) and you are connected.
7. Go to http://www.opendns.com create a home DNS account, link it to your network, and set it to filter according to the categories you want.
8. To test that the pi's filtering is working, try accessing http://www.raspberryguardiantest.net It should bring up a big yellow "Access Denied" sign. (Note, that is not a real website.)
9. The Pi's settings are available via Webmin: the configuration can only be accessed from the internal interface. The configuration url is: https://raspberrypi.raspberry.pi:10000
10. Login to webmin on the Pi using the default username of pi and password of raspberry. You can change settings related to the firewall, squid-cache, dansguardian filter, and the pi in general from here, as well as access a text login. You can also ssh login to the pi from inside its network. Have fun!

A few things to know about this pi image:
I use OpenDNS to check website names to take some load off the Pi. You will need an OpenDNS account linked to your location's IP address to take advantage of this.
The image itself is compressed with 7zip, decompress the .img BEFORE putting it on your SDCard.
It is designed for an 8 Gigabyte SDCard, to give plenty of room for a large Squid-cache; with a smaller cache the image could easily be resized to fit on a 2 GB SDCard.
It Requires 2 network interfaces to be attached to your Pi. I got mine from Amazon:

http://www.amazon.com/TRENDnet-USB-100M ... sb+network

It would require a little tweaking to work with a wifi adapter as the internal interface, but I think it could be done.
My setup expects dhcp on the external interface and provides dhcp on the outgoing interface. Dhcp range provided by the Pi on the internal interface is 10.0.3.14 to 10.0.3.254 and the Pi sets its own address on the internal interface as 10.0.3.1
The external interface is the pi's builtin port, and the internal interface is the USB adapter.
The firewall is super-strict by default, although this can be changed from webmin, and blocks all traffic not explicitly permitted. By default this is only POP3, IMAP, SMTP, HTTPS, FTP, google talk, and gmail.
The filter is pretty draconian by default. You might want to change its settings in the dansguardian webmin module.
One glaring deficiency is that I haven't set up an override yet for dansguardian to give a password to bypass the filter. Maybe when I have more time.
Also, while configuration via webmin does not require any great command line skill, it is pretty complicated. I don't advise complete non-techies to try using this pi set-up.
This thing is still pretty rough and unpolished, but hopefully it will be useful.

[squidvid]

Hey I got it working! Very cool. The only thing is, I've got a 50mb internet connection and running it through the RPi cuts it down to around 20mb. Any suggestions what the next step up from an RPi would be? Meaning...small form factor and relatively inexpensive. I'm assuming if I had a more powerful box with 2 real nic cards it could handle the throughput.

[ElWilliaM]

Internet too fast for the Pi is not a problem in Western Canada. I'm glad to know its limitations, though. You probably could buy/build a system based on, say a pico ITX motherboard with a dual-core Intel Atom (tm), a gigabyte or two of DDR3 RAM, and a 64 GB SSD for storage, for around $200. This one on Amazon might be a good one to check out: http://www.amazon.com/Intel-D2500CCE-Mi ... rid_pt_0_0 Set it up the same way as the Pi image (check out the installed package lists and config files in /etc/) and you should have a pretty nice filter system.

[abishur]

One possible work around for the internet speed thing would be to only pass http traffic to the pi. It would require either a very expensive switch or one with modded firmware such as dd-wrt (I suppose you could lock the tools options in your internet browser and hard code it to use the pi as a proxy, but I like true transparent http filtering ), but if you only sent http traffic then it wouldn't matter if it got slightly throttled, generally speaking web browsing doesn't take excessive bandwidth (unless you have a larger office or dorm full of people). It's typically other internet activities that need an extra oomph

[squidvid]

Thanks for the responses. I live in Austin where they just announced Google Fiber. Do you think there is any way to filter a connection that fast? Or is the speed of the rest of the internet slow enough that it won't matter? Thanks.

[abishur]

Thanks for the responses. I live in Austin where they just announced Google Fiber. Do you think there is any way to filter a connection that fast? Or is the speed of the rest of the internet slow enough that it won't matter? Thanks.

I suppose it depends on which tier you get. I think the free internet is only 5 MBps which the pi can easily handle. As for the gigabit paid tiers... well it kinda goes back to whether it's possible to filter only http traffic or if you're doing the whole pipe! If it's the whole pipe I'm not aware of any low powered/low cost solution that could currently handle that *provided* you were in fact making full use of the connection. Most people don't make full use of their internet plan and end up paying for bandwidth they don't need. Techies tend to be on the other end of the spectrum and always need more

[grovep]

Hi I am trying to set up a type of simple captive portal between 2 routers. This is not for public Wi-Fi access but to control kids on the home network. Currently I have an ADSL router connected to the internet the Wi-Fi is turned off on this router and the only items that are connected is (1) a cable router (connected lan to lan side at the moment), (2) voip phones and (3) works laptop. So all the home computers be they smart phones, tablets or pcs are connected either via Ethernet or Wi-Fi to the cable router. Currently the ADSL router manages DCHP and the Wan side of the cable router is not connected. What I am wanting to do is to put a Pi between the 2 routers and let all internet traffic pass through the pi. If an adult is requesting a web page (perhaps identified by cookie?) then the session in authenticated and this traffic can also pass. If the kids or someone unidentified requesting internet then they have to authenticate by doing a load of maths or other questions or entering a password to authenticate. If using the password route then they are authenticated for that session. If they complete the maths questions then they are authenticated for 1 Hr when they have to repeat authentication. Is all clear? I hope so.
I think I can manage the html/php programming side but need some help/pointers on the networking/firewall/captive portal side.
I see from this thread that speed should not be an issue (time will confirm)
I do not need to use the pi to do any filtering nor connecting to OpenDNS – I already use this and my ADSL router is configured to use their service
Should I connect to wan port on cable router and enable dhcp on this router or the pi?
Do I need squid? Or dnsmasq?
I have successfully installed webmin and have bridged eth0 and eth1. Not quite sure where to go next
Any other suggestions/comments?
Thanks