home adblock router HOWTO

requirements

a debian installation
a root shell
two working network interfaces

architecture

ip	description
192.168.0.1	strange router
192.168.0.3	router (eth0)
192.168.1.3	router (eth1)
192.168.1.10 to 192.168.1.99	clients with static address
192.168.1.100 to 192.168.1.199	clients with dynamic address

local domain: nett

basics

file: /etc/network/interfaces

auto lo

# internet
iface lo inet loopback
iface eth0 inet static
	address 192.168.0.3
	network 192.168.0.0
	netmask 255.255.255.0
	broadcast 192.168.0.255
	gateway 192.168.0.1
#	dns-nameservers 127.0.0.1

# intranet
allow-hotplug eth1
iface eth1 inet static
	address 192.168.1.3
	network 192.168.1.0
	netmask 255.255.255.0
	broadcast 192.168.1.255

file: /etc/sysctl.d/network.conf

net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0

reboot the system

init 6

sshd

we don't want elliptic curve keys

rm /etc/ssh/ssh_host_ecdsa_key*

from the file /etc/ssh/sshd_config remove the line

HostKey /etc/ssh/ssh_host_ecdsa_key

on a root shell execute

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa -b 1024
/etc/init.d/ssh restart

firewall

file: /root/firewall.sh

#!/bin/bash

IPT=/sbin/iptables

PUBLIC_NET=192.168.0.0/24
PUBLIC_INTERFACE=eth0

PRIVATE_LAN_IP=192.168.1.3/32
PRIVATE_LAN_NET=192.168.1.0/24
PRIVATE_LAN_INTERFACE=eth1


# set policys
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

# flush chains
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t filter -F

# allow established connections
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $PUBLIC_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $PUBLIC_INTERFACE -o $PRIVATE_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# setup loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# drop internal stuff from external interface
$IPT -A FORWARD -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_NET -j DROP
$IPT -A INPUT -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_NET -j DROP
$IPT -A FORWARD -i $PUBLIC_INTERFACE -s 127.0.0.0/8 -j DROP
$IPT -A INPUT -i $PUBLIC_INTERFACE -s 127.0.0.0/8 -j DROP
$IPT -A FORWARD -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_IP -j DROP
$IPT -A INPUT -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_IP -j DROP

# prevent hosts from connecting to internet
# e.x. printer
# $IPT -A FORWARD -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -s 192.168.1.11/32 -j REJECT

# allow ssh from internal
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# allow ssh from external (if you like to) 
# $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
# $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
# $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# allow apache2 from internal
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 80 -m state --state NEW -j ACCEPT
# $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 80 -m state --state NEW -j REJECT
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 443 -m state --state NEW -j REJECT

# allow dhcp from internal
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p udp --dport 67 --sport 68 -m state --state NEW -j ACCEPT

# allow dns from internal
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p udp -s $PRIVATE_LAN_NET --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 53 -m state --state NEW -j ACCEPT

# add forward rules
$IPT -A FORWARD -t filter -s $PRIVATE_LAN_NET -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -m state --state NEW -j ACCEPT

# setup nat
$IPT -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE

on a shell execute

chmod +x /root/firewall.sh
/root/firewall.sh
iptables-save > /etc/iptables.up.rules

dns

edit your /etc/hosts

127.0.0.1	localhost

192.168.0.1	modem.nett
192.168.1.3	router.nett

192.168.1.10	server.nett
192.168.1.11	printer.nett

on a shell execute

apt-get install dnsmasq

file: /etc/dnsmasq.conf

no-hosts
addn-hosts=/etc/dnsmasq.hosts

file: /etc/resolv.conf

domain nett
search nett

# local dnsmasq
nameserver 192.168.1.3

# FoeBud
nameserver 85.214.20.141

# ccc
nameserver 213.73.91.35

execute on a shell

cp /etc/hosts /etc/dnsmasq.hosts
/etc/init.d/dnsmasq restart

dhcp

execute on a shell

apt-get install isc-dhcp-server

file: /etc/dhcp/dhcpd.conf

ddns-update-style none;
authoritative;

option domain-name "nett";
option domain-name-servers 192.168.1.3;

default-lease-time 86400;
max-lease-time 86400;

subnet 192.168.0.0 netmask 255.255.255.0 {
}

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.100 192.168.1.199;
        option routers 192.168.1.3;
}

execute on a shell

/etc/init.d/isc-dhcp-server restart

apache (for adblocker)

execute on a shell

apt-get install apache2
rm /etc/apache2/sites-available/*
rm /etc/apache2/sites-enabled/*
echo -n "" > /var/www/index.html

file: /etc/apache2/sites-available/default

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Order allow,deny
                allow from all
                RewriteEngine on
                RewriteRule ^(.*)$ index.html
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

execute on a shell

a2enmod rewrite
a2ensite default
/etc/init.d/apache2 reload

adblocker

file: /root/generate.sh

#!/bin/bash

lists="
http://hosts-file.net/ad_servers.txt
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
http://winhelp2002.mvps.org/hosts.txt
https://adaway.org/hosts.txt
"

dnsmasq_hosts=/etc/dnsmasq.hosts
hosts=/etc/hosts
tmpfile=/tmp/dnsmasq.hosts
ip=192.168.1.3

rm $tmpfile 2> /dev/null

for list in $lists ; do
        wget -nv -O - $list | \
                sed -n '/^[[:space:]]*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*[[:space:]]*\([0-9a-z\.-]*\)[[:space:]]*$/p' | \
                sed 's/^[[:space:]]*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*[[:space:]]*\([0-9a-z\.-]*\)[[:space:]]*$/'$ip' \1/' >> \
                $tmpfile
done

cat $hosts > $dnsmasq_hosts
sort -u $tmpfile >> $dnsmasq_hosts

rm $tmpfile

/etc/init.d/dnsmasq restart

execute on a shell

chmod +x /root/generate.sh
/root/generate.sh

home adblock router HOWTO

requirements

architecture

basics

sshd

firewall

dns

dhcp

apache (for adblocker)

adblocker

done !