RaspberryPi as an anonymous Router with WiFi ability

[kev1807]

Hi everyone,

I'm new to the raspberry-scene and I have some interesting ideas.
I'm not only new to the rasp-pi scene, but also relatively new to linux, so I may ask some dumb questions...

I don't know exactly how complicated this is, but I think it is achieveable - even for a noob like me. (I've been building all my PCs from scratch since I was 14 (I'm 23 now) and I have a basic knowledge about how things work (I mean, I'm not a typical windows-user )

I want my Pi as a firewall and a router and I have instructions for both
I don't know, whetehr I can make the Pi do both jobs at one time.
I do only have one Computer connected to my network all the time and from time to time my smartphone and one or two notebooks (so it's not a big network).

I think I know too little about linux and how linux works to be sure about this:
Can I simply run the firewall script parallel to the router? Let's say from I think step 4 of the instruction I found on the net
(http://www.instructables.com/id/Raspber ... l/?lang=de)
I also think that the instruction for the Pi-Router has some aspects which they have in common (http://qcktech.blogspot.de/2012_08_01_archive.html) I think I should be able to run these parallel, but what I don't get (and what's probably one of these dumb questions ): the second Instruction also includes iptables, so that I think the router already would have a basic security. So is there really a need for a special firewall with this instruction or can I simply add more iptables rules for additional security? I also want to add a remote-access for the pi (but this is not too complex, as the router-instructions gives instructions on that, too) and a logfile (for which I either would use the sd-card and read it out remotely with my PC or my usb hard drive)
Here's what I think: Step11 of the firewall-instruction (http://www.instructables.com/id/Raspber ... l/?lang=de) could be enough to add to the router-instruction where it says

For some additional security, lets add some more iptables rules:

sudo iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
sudo iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
sudo iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
sudo iptables -A INPUT -s 224.0.0.0/4 -i eth0 -j DROP
sudo iptables -A INPUT -s 240.0.0.0/5 -i eth0 -j DROP
sudo iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
sudo iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

This blocks access from RFC 1918 subnets on your internet (eth0) interface as well as ICMP (ping) packets and ssh connections.

This way I'd have the security from the firewall-instruction and a (hopefully working router)

Am I totally of the grid?
If so, do you have any ideas for achieving a router with a firewall using a single Pi?
And if so, I'd be glad if someone could give me a hint ...

If the tip is: Don't do it as your first project don't dare to tell me


(edit/not part of the original post )
damn I just forgot to add the things about the anonymous thing:
I don't have a clue how to achieve this ... I don't want a thing like the OnionPi, which doesn't work the way it should ...
I think using a proxy for all my traffic would slow down my connection too much. Dunno whether there is a option to achieve this at all, if not ... well than I have to leave it out and go for the rest of my plan ...

best wishes and thanks in advance,

Kevin

[FLYFISH TECHNOLOGIES]

Hi Kevin,

I think I know too little about linux and how linux works

I'd warmly suggest that you spent some time and read details about these two subjects (particularly about firewall)...

I set my first firewall on Linux back in 1999 and I remember spending 3 full days of reading all kind of FAQs, How-Tos and checking various things before even connecting the box to internet (and I wasn't Linux newbie by then). During testing I connected another computer to external network card and tried this & that and monitored behavior and read log files... Since then, I check EVERY DAY log files of a couple of firewalls I maintain.

I'm writing this because setting a firewall by quickly grabbing something from one web page and copying the content somewhere is not very serious approach...
I'm aware that spending some time to gain deeper understanding is not the spirit present around us nowadays. However, according to your questions, your RaSPi has (at least) a potential to become a source of all kind of spam. Think twice.

Can I simply run the firewall script parallel to the router?

Yes.

So is there really a need for a special firewall with this instruction or can I simply add more iptables rules for additional security?

iptable rules are (sufficient) firewall rules. You don't need additional firewall, just set the rules properly/sufficiently.
You can improve the firewall with some nice additional approaches (eg. with ipset groups), but this is advanced topic...

For some additional security, lets add some more iptables rules:
sudo iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

These lines are just "warm water"...

Am I totally of the grid?

No, it's a good start.

And if so, I'd be glad if someone could give me a hint ...

http://www.google.com
Don't get me wrong... these are very old subjects, you can find all kind of information... just invest some time. People in this forum cannot give you more/better/deeper information.


Best wishes, Ivan Zilic.

[kev1807]

Hi Ivan,

First of all, thanks for the response.

I'd warmly suggest that you spent some time and read details about these two subjects (particularly about firewall)...

I expected an answer similar to this
I'm currently reading almost everything on Linux and I have some articles on firewalls and router left on my to-read list ... (I don't expect the forum to take away the effort for this, it is MY project and I want to do most of the work ...)

I do have very much to do, I know.

I'm writing this because setting a firewall by quickly grabbing something from one web page and copying the content somewhere is not very serious approach...

Yepps, this would not be the ideal thing ...

I'm aware that spending some time to gain deeper understanding is not the spirit present around us nowadays. However, according to your questions, your RaSPi has (at least) a potential to become a source of all kind of spam. Think twice.

Could your explain this a little further?

iptable rules are (sufficient) firewall rules. You don't need additional firewall, just set the rules properly/sufficiently.
You can improve the firewall with some nice additional approaches (eg. with ipset groups), but this is advanced topic...

okay, so my plan will probably work (at least some day )

These lines are just "warm water"...

meaning useless and may be left out?

http://www.google.com
Don't get me wrong... these are very old subjects, you can find all kind of information... just invest some time. People in this forum cannot give you more/better/deeper information.

at least you didn't post this one http://lmgtfy.com/

I think your answer is very good, not only giving a "don't do it" but very detailed information
It's not demotivating, bcs. you give hints and information
thanks again for that ...

I'm a student and I do not study a computing connected subject I study history and english, but Computers are a hobby ever since. Maybe I have not the best start, but I really love computers and most things connected to them. I'm switching from Win7 to Linux Mint Debian Edition and I have to say, I love it.
The Pi is the next mission! Another idea for my first Pi would be a media center, which is way easier to achieve

thanks,
best wishes,
Kevin

[FLYFISH TECHNOLOGIES]

Hi Kevin,

your RaSPi has (at least) a potential to become a source of all kind of spam.

Could your explain this a little further?

I'm surprised over and over again how "bad guys" are inventive... One option is that they hijack your RasPi and use it as a delivery boy. Another, less obvious, is that they don't have a control over RasPi, but use it as a bouncer - they send some valid (eg. ping) or invalid query to you, and you reply (eg. that a query is invalid). The trick is that they spoof sender IP (address is swapped with one being an attack target), where a response is sent to. The frequency is typically high and you start bombing the target.
This is very brief high level description...

If you don't host any public service, then it is easy to prevent that on the firewall, but (sooner or later) you'll start hosting some services and you're going to be much more exposed.
Typically, there are issues when you'd like something new to work (web server, mail server, DNS, etc.) and 1st attempt will most likely fail... you try this and that, change configuration several times, spend few hours and finally it starts to work... You already spent much more time+energy than you planned... and a final step to properly align protection is skipped (who cares, it works). This is the main reason why I always underline a need to get broader understanding as soon as somebody takes administrator role. Later on, everybody is focused on a particular task/issue.

These lines are just "warm water"...

meaning useless and may be left out?

When you see lines like

Code: Select all

sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
sudo iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

your warning light needs to start flashing.
This is the reason: the proper approach is to close everything on the firewall and then start opening what is needed. So, if the default policy is to drop (proper one), then these two lines are redundant and should be removed in order to keep content clean. On the other side, if the lines are needed due to default accept policy (this must be avoided), then you need to reconsider your design and you should start from the scratch.


Best wishes, Ivan Zilic.

[kev1807]

...that they hijack your RasPi and use it as a delivery boy. Another, less obvious, is that they don't have a control over RasPi, but use it as a bouncer - they send some valid (eg. ping) or invalid query to you, and you reply (eg. that a query is invalid). The trick is that they spoof sender IP ....
The frequency is typically high and you start bombing the target.
This is very brief high level description...

very mean guys ... >.<
So if one builds his own firewall he has to take that into account and somehow deal with it...
As I'm planning, to use the Pi as a Router and a Firewall I'd assume a static IP would be the best way to get into trouble...

If you don't host any public service, then it is easy to prevent that on the firewall, but (sooner or later) you'll start hosting some services and you're going to be much more exposed.

Are you able to read my minds or is this the typical way?
I was already thinking of running a mail server but I figured that too much stuff at one time may kill my enthusiasm if something doesn't work as I expected ...

who cares, it works

This kind of reminds me of my parents

the broader understanding is I think very necessary: I begin to realize that if I want to this the right way I really have a lot reading to do...

These lines are just "warm water"...

meaning useless and may be left out?

When you see lines like

Code: Select all

sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
sudo iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

your warning light needs to start flashing.

I take it, these commands are like leaving the front door open when going on vacation
You'd better open it only if you have to ...

This is the reason: the proper approach is to close everything on the firewall and then start opening what is needed. So, if the default policy is to drop (proper one), then these two lines are redundant and should be removed in order to keep content clean.

You say that the instructor wrote a code just for the code's sake? That's not nice for people starting to look into stuff like that. neglecting the "rule" fewer lines of code --> fewer time wasted ...

On the other side, if the lines are needed due to default accept policy (this must be avoided), then you need to reconsider your design and you should start from the scratch.

The door and the vacation again ....



As I understand you, you suggest to read, read (and read and read and read ... ) before I setup the firewall by myself. (On which I agree by the way, I was heavily mislead by the instruction, which didn't seem too complex ...)
(I just finished the article on ufw, to which I somehow was redirected . IT's quite interesting, that in the wiki.ubuntu the article says that a desktop installation of Ubuntu doesn't need a firewall... (I am definetly used to Windows ) )

I get it:

using ufw I get the standard deny-everything mode and build my rules that are supposed to prevent anything from doing harm to my PC (So I'd have to setup a rule for nearly everything ...)

The ufw thing makes me wonder, whether ufw can be used in the planned router/firewall project (which I think I have to postpone for now ...) What I think I've learned from Linux now is that there is no reason why ufw should not work in the router/firewall project.


Adding to that, I think the project does not need to be called Router/Firewall as the basic router would probably already come with ufw, wich is supposed to be good enough for my needs ... so The project would be no complex iptables rules, but ufw, which is easier to handle because of the english words.

I really appreciate your explanations and answers, they help me figuring out, that I'd be better of not starting a complex project like this right now ... Thank you for the disillusion
(I hope you don't take this as an insult, it' not meant that way, I'm really thankful for the conversation and the info you gave me )

And now I'm going to bed, probably dreaming of iptables, RaspPis and parameters...

good night, thank you again,
Kevin

[FLYFISH TECHNOLOGIES]

Hi,

So if one builds his own firewall he has to take that into account and somehow deal with it...

There are also tools available which allow you to configure firewall without actually typing rules line by line. Some people also in this forum prefer them... I like working with "source code" instead.

I'd assume a static IP would be the best way to get into trouble...

You're not safe if you have dynamic IP... all addresses are scanned all the time.

As I understand you, you suggest to read, read (and read and read and read ...

I don't need to add anything...


Take care, Ivan Zilic.