-
Notifications
You must be signed in to change notification settings - Fork 0
iBlocker Access POINT
- Create a 300 MiB FAT32 Partition and copy the content of untarred alpine-rpi-3.2X.Y-aarch64.tar.gz from https://alpinelinux.org/downloads/.
Create a second partition - ext4, for the rest of the available space
-
mkdir /tmp/fat32andmount /dev/sdb1 /tmp/fat32
Then copy untarred .gz to /tmp/fat32 and umount /tmp/fat32
- Insert microSD card in Pi, login with root (without pass) and follow the
setup-alpinesteps:
ALPINE LINUX INSTALL
----------------------
Keymap
--------
af al am ara at az ba bd be bg br brai by ca ch cm cn cz de dk dz ee epo es fi fo fr gb ge gh gr hr hu id ie il in iq
ir is it jp ke kg kr kz la latam lk lt lv ma md me mk ml mm mt my ng nl no nz ph pk pl pt ro rs ru se si sk sy th tj
tm tr tw ua us uz vn
Select keyboard layout: [de]
de-T3 de-deadacute de-deadgraveacute de-deadtilde de-dsb de-dsb_qwertz de-dvorak de-e1 de-e2 de-mac de-mac_nodeadkeys de-neo
de-nodeadkeys de-qwerty de-ro de-ro_nodeadkeys de-ru de-tr de-us de
Select variant (or 'abort'): [de]
* Setting keymap ... [ ok ]
Hostname
----------
Enter system hostname (fully qualified form, e.g. 'foo.example.org') [localhost]
Interface
-----------
Available interfaces are: eth0 wlan0.
Enter '?' for help on bridges, bonding and vlans.
Which one do you want to initialize? (or '?' or 'done') [eth0]
Ip address for eth0? (or 'dhcp', 'none', '?') [dhcp]
Available interfaces are: wlan0.
Enter '?' for help on bridges, bonding and vlans.
Which one do you want to initialize? (or '?' or 'done') [done]
Do you want to do any manual network configuration? (y/n) [n]
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: broadcasting select for 192.168.178.61, server 192.168.178.1
udhcpc: lease of 192.168.178.61 obtained from 192.168.178.1, lease time 864000
Root Password
---------------
Changing password for root
New password:
Retype password:
passwd: password for root changed by root
Timezone
----------
Africa/ Australia/ Cuba Etc/ GMT+0 Iceland Kwajalein NZ Poland UCT Zulu
America/ Brazil/ EET Europe/ GMT-0 Indian/ Libya NZ-CHAT Portugal US/ leap-seconds.list
Antarctica/ CET EST Factory GMT0 Iran MET Navajo ROC UTC posixrules
Arctic/ CST6CDT EST5EDT GB Greenwich Israel MST PRC ROK Universal
Asia/ Canada/ Egypt GB-Eire HST Jamaica MST7MDT PST8PDT Singapore W-SU
Atlantic/ Chile/ Eire GMT Hongkong Japan Mexico/ Pacific/ Turkey WET
Which timezone are you in? [UTC] Europe
What sub-timezone of 'Europe' are you in? Berlin
* WARNING: clock skew detected!
* Seeding random number generator ...
* Saving 256 bits of creditable seed for next boot
[ ok ]
* WARNING: clock skew detected!
* Starting busybox acpid ... [ ok ]
* Starting busybox crond ... [ ok ]
Proxy
-------
HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]
Network Time Protocol
-----------------------
Mon Apr 8 08:09:58 CEST 2024
Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]
* service chronyd added to runlevel default
* Starting chronyd ... [ ok ]
APK Mirror
------------
(f) Find and use fastest mirror
(s) Show mirrorlist
(r) Use random mirror
(e) Edit /etc/apk/repositories with text editor
(c) Community repo enable
(skip) Skip setting up apk repositories
Enter mirror number or URL: [1]
Added mirror dl-cdn.alpinelinux.org
Updating repository indexes... done.
User
------
Setup a user? (enter a lower-case loginname, or 'no') [no] iblocker
Full name for user iblocker [iblocker]
Changing password for iblocker
New password:
Retype password:
passwd: password for iblocker changed by root
Enter ssh key or URL for iblocker (or 'none') [none]
(1/1) Installing doas (6.8.2-r7)
Executing busybox-1.36.1-r29.trigger
OK: 23 MiB in 37 packages
Which ssh server? ('openssh', 'dropbear' or 'none') [openssh]
* service sshd added to runlevel default
* Caching service dependencies ... [ ok ]
ssh-keygen: generating new host keys: RSA ECDSA ED25519
* Starting sshd ... [ ok ]
Disk & Install
----------------
No disks available. Try boot media /media/mmcblk0p1? (y/n) [y]
* WARNING: you are stopping a sysinit service
* Unmounting /.modloop ... [ ok ]
Available disks are:
mmcblk0 (31.9 GB )
Which disk(s) would you like to use? (or '?' for help or 'none') [mmcblk0]
The following disk is selected:
mmcblk0 (31.9 GB )
How would you like to use it? ('sys', 'data', 'crypt', 'lvm' or '?' for help) [sys]
/sbin/update-raspberrypi-bootloader: WARNING: no kernel found
WARNING: The following disk(s) will be erased:
mmcblk0 (31.9 GB )
WARNING: Erase the above disk(s) and continue? (y/n) y
Please reboot!
After reboot set the time with below command (if necessary):
date --set="2024-10-14 10:07:00"
For router scenario (iBlocker attached via eth to your Internet router), after reboot and login as root, download below script in /tmp folder:
wget www.2transfer.eu/iblocker/camera/router/Alpine_Router_Install.sh -P /tmp
After changing rights to 755, launch the installation script, but before the user needs to adjust below settings:
interface='eth0' ### eth0 for router variant, usb0 for modem variant ############
wifipass='Test#1234'
iblockerssid="Alpine_iBlockerv4"
cameraport="8085"
motionpass="Test#1234"
server="your_server.your_domain" ### user iblocker created in advance on server!
dns_server="dns_server_IP" ### e.g. 8.8.8.8
The script would perform the steps described from "Access Point" section to the "Firewall" section. *in case there is no server available, the user can setup his router for external access - section Open Ports in Router (Router Scenario) -----------------------------------//-----------------------------------------
cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0
use dhcp
use ipv6-ra
auto wlan0
iface wlan0
address 172.25.1.1/24
address fdda:8765:4321:fdda::1/64
Edit /etc/resolv.conf
search yourdomain.xyz
nameserver x.a.b.c
Uncomment below line
#RESOLV_CONF="no" in file /etc/udhcpc/udhcpc.conf
Reboot
Install dhcp: apk add dhcp
edit /etc/dhcp/dhcpd.conf - content is below
apk add dhcpcd
rc-update add dhcpcd
rc-service dhcpcd start
/etc/dhcp/dhcpd.conf should contain below lines:
option domain-name-servers yourserver.xyz;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
#####This is a very basic subnet declaration.
subnet 172.25.1.0 netmask 255.255.255.0 {
range 172.25.1.10 172.25.1.200;
option domain-name-servers yourserver.xyz;
option routers 172.25.1.1;
}
rc-update add dhcpd
rc-service dhcpd start - or started after reboot!!!
Note: DHCP IPv6 server not ready yet.
Here is how to enable Network Address Translation (NAT) on an Alpine Linux server:
echo "net.ipv4.ip_forward=1" | tee -a /etc/sysctl.conf
Save: sysctl -w
Display: sysctl -p
apk add iptables ipset
rc-update add iptables
--- wlan0 is the internal interface ---
iptables -A FORWARD -i wlan0 -j ACCEPT
--- eth0 is the external interface (connected to the internet) ---
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/etc/init.d/iptables save
echo "net.ipv6.conf.all.forwarding=1" | tee -a /etc/sysctl.conf
Save: sysctl -w
Display: sysctl -p
apk add ip6tables
rc-update add ip6tables
ip6tables -A FORWARD -i wlan0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/etc/init.d/ip6tables save
Note: DHCP IPv6 server not ready yet.
On ubuntu for example:
ip addr add dev wlan0 fdda:8765:4321:fdda::10/64
ip -6 route add default via fdda:8765:4321:fdda::1
Then test-ipv6 is ok:
traceroute6 www.google.com or http://test-ipv6.com
traceroute to www.google.com (2a00:1450:4001:806::2004) from fdda:8765:4321:fdda::10, 30 hops max, 24 byte packets
1 gateway (fdda:8765:4321:fdda::1) 4,0680 ms 1,0228 ms 0,9290 ms
2 200116b826cb26009a9bcbfffe026 (2001:16b8:26cb:2600:9a9b:cbff:fe02:6c4e)
apk add hostapd
rc-service hostapd start
rc-update add hostapd
/etc/hostapd/hostapd.conf should contain below lines:
-----------------------------------//------------------------------------------
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=iBlocker-ALPINE
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=-1
fragm_threshold=-1
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=Test#1234
-----------------------------------//-----------------------------------------
Use crontab -e and below lines:
# do daily/weekly/monthly maintenance
# min hour day month weekday command
#*/15 * * * * /etc/periodic/15min/empty_motion
0 * * * * /etc/periodic/hourly/empty_motion
0 2 * * * run-parts /etc/periodic/daily
0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly
@reboot /var/www/localhost/cgi-bin/modem/AT/ushubctl-reset-hub.cgi
@reboot /var/www/localhost/cgi-bin/piwall/camera.cgi &
@reboot /var/www/localhost/cgi-bin/piwall/check_ssh_tunnel.cgi &
@reboot /var/www/localhost/cgi-bin/modem/AT/Read_SMS_Daemon.cgi &
@reboot /var/www/localhost/cgi-bin/modem/AT/Usb0-Reboot-Daemon.cgi &
After reeboot the iBlocker-ALPINE should be available. Attach your Wifi device using passw=Test#1234 and check the Internet connectivity, including the https://test-ipv6.com/
-----------------------------------//-----------------------------------------
The following steps will install and configure the Firewall:
apk add AWALL
Below files are created in /etc/awall/optional and firewall is started with below commands:
awall list
awall activate
Firewall Files located in /etc/awall/optional:
iBlocker.json
{
"description": "Default awall policy to protect iBlocker",
"variable": { "internet_if": "eth0" },
"zone": {
"internet": { "iface": "" },
"LAN": { "iface": "wlan0" }
},
"service": {
"motion": { "proto": "tcp", "port": 8081 },
"prometheus": { "proto": "tcp", "port": 9090 },
"grafana": { "proto": "tcp", "port": 3000 }
},
"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "LAN", "out": "internet", "action": "accept" },
{ "in": "internet", "action": "drop" }
],
"snat": [
{ "out": "internet" }
]
}
ssh.json
{
"description": "Allow incoming SSH access (TCP/22)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24"],
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "LAN",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ],
"conn-limit": { "count": 3, "interval": 60 }
}
]
}
ping.json
{
"description": "Allow ping-pong",
"filter": [
{
"in": "internet",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "LAN",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
}
]
}
monitoring.json
{
"description": "Monitoring via Prometheus/Grafana/node_exporter (port 9100)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "hp-pdl",
"action": "accept"
}
]
}
apache.json
{
"description": "Allow incoming Apache HTTP/HTTPS (TCP/80 and 443) ports",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": [ "http", "https"],
"action": "accept"
},
{
"in": "LAN",
"out": "_fw",
"service": [ "http", "https"],
"action": "accept"
}
]
}
prometheus.json
{
"description": "Allow incoming Prometheus access (TCP/9090)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24"],
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "LAN",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ],
"conn-limit": { "count": 3, "interval": 60 }
}
]
}
grafana.json
{
"description": "Allow incoming Grafana access (TCP/3000)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "grafana",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24"]
},
{
"in": "LAN",
"out": "_fw",
"service": "grafana",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ]
}
]
}
motion.json
{
"description": "Motion local accessible (port 8081)",
"filter": [
{
"in": "LAN",
"service": "motion",
"action": "accept"
},
{
"in": "internet",
"service": "motion",
"action": "accept"
}
]
}
In case user needs to restrict access to camera, he has to add "src" lines under "action". E.g.
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ]
-----------------------------------//-----------------------------------------
Contact: office@2transfer.eu
Copyright © IBlocker.eu project. Proudly powered by Open Source software. Copyright Notice | Terms of Service | Privacy Policy
© Design: www.iblocker.eu