home adblock router HOWTO
requirements
a debian installation
a root shell
two working network interfaces
architecture
ip
description
192.168.0.1
strange router
192.168.0.3
router (eth0)
192.168.1.3
router (eth1)
192.168.1.10
to
192.168.1.99
clients with static address
192.168.1.100
to
192.168.1.199
clients with dynamic address
local domain: nett
basics
file: /etc/network/interfaces
auto lo # internet iface lo inet loopback iface eth0 inet static address 192.168.0.3 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 # dns-nameservers 127.0.0.1 # intranet allow-hotplug eth1 iface eth1 inet static address 192.168.1.3 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255
file: /etc/sysctl.d/network.conf
net.ipv4.ip_forward = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth1.send_redirects = 0
reboot the system
init 6
sshd
we don't want elliptic curve keys
rm /etc/ssh/ssh_host_ecdsa_key*
from the file /etc/ssh/sshd_config remove the line
HostKey /etc/ssh/ssh_host_ecdsa_key
on a root shell execute
ssh-keygen -t rsa -b 4096 ssh-keygen -t dsa -b 1024 /etc/init.d/ssh restart
firewall
file: /root/firewall.sh
#!/bin/bash IPT=/sbin/iptables PUBLIC_NET=192.168.0.0/24 PUBLIC_INTERFACE=eth0 PRIVATE_LAN_IP=192.168.1.3/32 PRIVATE_LAN_NET=192.168.1.0/24 PRIVATE_LAN_INTERFACE=eth1 # set policys $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP # flush chains $IPT -F $IPT -X $IPT -t nat -F $IPT -t filter -F # allow established connections $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $PUBLIC_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -i $PUBLIC_INTERFACE -o $PRIVATE_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # setup loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # drop internal stuff from external interface $IPT -A FORWARD -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_NET -j DROP $IPT -A INPUT -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_NET -j DROP $IPT -A FORWARD -i $PUBLIC_INTERFACE -s 127.0.0.0/8 -j DROP $IPT -A INPUT -i $PUBLIC_INTERFACE -s 127.0.0.0/8 -j DROP $IPT -A FORWARD -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_IP -j DROP $IPT -A INPUT -i $PUBLIC_INTERFACE -s $PRIVATE_LAN_IP -j DROP # prevent hosts from connecting to internet # e.x. printer # $IPT -A FORWARD -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -s 192.168.1.11/32 -j REJECT # allow ssh from internal $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP # allow ssh from external (if you like to) # $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT # $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " # $IPT -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP # allow apache2 from internal $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 80 -m state --state NEW -j ACCEPT # $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 80 -m state --state NEW -j REJECT $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 443 -m state --state NEW -j REJECT # allow dhcp from internal $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p udp --dport 67 --sport 68 -m state --state NEW -j ACCEPT # allow dns from internal $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p udp -s $PRIVATE_LAN_NET --dport 53 -m state --state NEW -j ACCEPT $IPT -A INPUT -i $PRIVATE_LAN_INTERFACE -p tcp -s $PRIVATE_LAN_NET --dport 53 -m state --state NEW -j ACCEPT # add forward rules $IPT -A FORWARD -t filter -s $PRIVATE_LAN_NET -i $PRIVATE_LAN_INTERFACE -o $PUBLIC_INTERFACE -m state --state NEW -j ACCEPT # setup nat $IPT -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
on a shell execute
chmod +x /root/firewall.sh /root/firewall.sh iptables-save > /etc/iptables.up.rules
dns
edit your /etc/hosts
127.0.0.1 localhost 192.168.0.1 modem.nett 192.168.1.3 router.nett 192.168.1.10 server.nett 192.168.1.11 printer.nett
on a shell execute
apt-get install dnsmasq
file: /etc/dnsmasq.conf
no-hosts addn-hosts=/etc/dnsmasq.hosts
file: /etc/resolv.conf
domain nett search nett # local dnsmasq nameserver 192.168.1.3 # FoeBud nameserver 85.214.20.141 # ccc nameserver 213.73.91.35
execute on a shell
cp /etc/hosts /etc/dnsmasq.hosts /etc/init.d/dnsmasq restart
dhcp
execute on a shell
apt-get install isc-dhcp-server
file: /etc/dhcp/dhcpd.conf
ddns-update-style none; authoritative; option domain-name "nett"; option domain-name-servers 192.168.1.3; default-lease-time 86400; max-lease-time 86400; subnet 192.168.0.0 netmask 255.255.255.0 { } subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.199; option routers 192.168.1.3; }
execute on a shell
/etc/init.d/isc-dhcp-server restart
apache (for adblocker)
execute on a shell
apt-get install apache2 rm /etc/apache2/sites-available/* rm /etc/apache2/sites-enabled/* echo -n "" > /var/www/index.html
file: /etc/apache2/sites-available/default
ServerAdmin webmaster@localhost DocumentRoot /var/www
Options FollowSymLinks AllowOverride None
Order allow,deny allow from all RewriteEngine on RewriteRule ^(.*)$ index.html ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined
execute on a shell
a2enmod rewrite a2ensite default /etc/init.d/apache2 reload
adblocker
file: /root/generate.sh
#!/bin/bash lists=" http://hosts-file.net/ad_servers.txt http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext http://winhelp2002.mvps.org/hosts.txt https://adaway.org/hosts.txt " dnsmasq_hosts=/etc/dnsmasq.hosts hosts=/etc/hosts tmpfile=/tmp/dnsmasq.hosts ip=192.168.1.3 rm $tmpfile 2> /dev/null for list in $lists ; do wget -nv -O - $list | \ sed -n '/^[[:space:]]*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*[[:space:]]*\([0-9a-z\.-]*\)[[:space:]]*$/p' | \ sed 's/^[[:space:]]*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*[[:space:]]*\([0-9a-z\.-]*\)[[:space:]]*$/'$ip' \1/' >> \ $tmpfile done cat $hosts > $dnsmasq_hosts sort -u $tmpfile >> $dnsmasq_hosts rm $tmpfile /etc/init.d/dnsmasq restart
execute on a shell
chmod +x /root/generate.sh /root/generate.sh
done !