Note: I've modified the goal of this project. I just want a caching DNS server in order to speed up the network at my home.
The artice I found https://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/ is rather old. I worked through the process myself. Here's the record of what I did.
The interesting thing about the process used is it doesn't require a second Ethernet connection. That's a good solution for me.
NOOBS would not work on the latest Raspberry PI 3B+, so I downloaded headless Raspbian.
The Raspberry PI is sensitive to power supplies. I tried 5V 1.6A but just got the flashing red light. Then I tried to plug into a powered USB hub connected to my iMac, but I still had a power problem. I am not sure why this solution won't work. I should take my MicroUSB cable back to the store, I guess.
I got a 3 A power supply for the PI 3B+ and it works just fine. Someone gave me a 2, so I'm going to get a 2.5 A power supply for it and configure it as the firewall. The 2 doesn't have WiFi, and that's just fine.
We have to use /etc/rc.local
. Edit the file in the etc
directory and change the interface, address, netmask, broadcast address, and gateway for your router. I'm using a box provided by my cable company, so I logged into the device and got this information. I also set the PI 2 so it has a static IP address. Go ahead and do this now.
Put the static address in the hosts
file.
Make sure you have backup copies of these files. You need to use sudo
for this step to copy everything in the etc
directory to /etc
. I did not keep my IP address or other networking information in GitHub. I edited manually and then did a git checkout -- <file>
.
Restart the PI. Note - do not use ifconfig <interface> down
if you are logged in via ssh. If you are using the console, use
ifconfig <interface> down
ifconfig <interface> up
Otherwise, just use
sudo shutdown -r now
This will close your ssh connection and restart the PI.
Install tcpdump
.
I made the following changes
- Spoof protection
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
- TCP/IP SYN cookies
net.ipv4.tcp_syncookies=1
- Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts=1
- Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1
- Do not accept ICMP redirects (put your own interface name for
eth0
)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
- Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
- Do not accept IP source route packets
net.ipv4.conf.all.accept_source_route = 0
- Log (https://en.wikipedia.org/wiki/Martian_packet)[Martian Packets]
net.ipv4.conf.all.log_martians = 1
- Router functionality
net.ipv4.ip_forward = 1
- Minimum free kb
vm.min_free_kbytes=8192
Make sure you use your own interface name for eth0
. Apply changes using sudo sysctl -p
.
Having a DNS cache server on the PI 2 will speed up DNS queries, as they will be cached locally in the house. We will deny incomplete or bad DNS requests, which increases security. Install the package dnsmasq
.
Here's how I configured it (following the original article).
interface=eth0
listen-address=<my_ip_address>
bind-interfaces
domain-needed
dns-forward-max=150
cache-size=300
I turned off DHCP since I have a mesh routing system, and I can't turn off DHCP in that system.
Also, I tried to use tcpdump to see if DNS was being handled properly. dig
reports the correct DNS address - the PI 2 - from my iMac, but no packet information is displayed.