├── README.md ├── build.sh └── flash-sdcard.sh /README.md: -------------------------------------------------------------------------------- 1 | ```html 2 | ___ ___ ___ _____ _ _ 3 | | _ \/ _ \| _ \_ _/_\ | | of ._ o 4 | | _/ (_) | / | |/ _ \| |__ |_)| 5 | |_| \___/|_|_\ |_/_/ \_\____| | 6 | ``` 7 | 8 | PORTAL of Pi - RaspberyPi based PORTAL device. Certified UNIX Network Technicians only! 9 | 10 | Development and Design Guide 11 | ============================= 12 | 13 | By: the grugq 14 | 15 | Guide 16 | ===== 17 | 18 | This will guide you through configuring an Arch based RaspberryPi installation 19 | which transparently forwards all TCP traffic over the Tor network. There is 20 | also a Tor SOCKS proxy for explicitly interacting with the Tor network, either 21 | for more security, or to access a Hidden Service. 22 | 23 | The configuration of access to the Internet is left as an exercise to the reader. 24 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # ___ ___ ___ _____ _ _ 3 | # | _ \/ _ \| _ \_ _/_\ | | of ._ o 4 | # | _/ (_) | / | |/ _ \| |__ |_)| 5 | # |_| \___/|_|_\ |_/_/ \_\____| | 6 | # 7 | # Licensed GPLv3 8 | # 9 | # (c) 2013 the grugq 10 | 11 | # See the README.md for indepth details. 12 | # 13 | # Based on the RaspberryPi Arch distribution. 14 | # View official installation instructions: 15 | # https://archlinuxarm.org/platforms/armv6/raspberry-pi#installation 16 | # Or run the automated setup script: 17 | # bash flash-sdcard.sh /dev/yoursdcard 18 | 19 | # PORTAL configuration overview 20 | # 21 | # ((Internet))---[USB]<[Pi]>[eth0]----((LAN)) 22 | # eth0: 172.16.0.1 23 | # * anything from here can only reach 9050 (Tor proxy) or, 24 | # * the transparent Tor proxy 25 | # USB: ???. 26 | # * Internet access. You're on your own 27 | # * No services exposed here 28 | 29 | # STEP 1 !!! 30 | # configure Internet access, we'll neet to install some basic tools. 31 | 32 | # update pacman 33 | pacman -Syu 34 | 35 | # install a comfortable work environment 36 | pacman -S yaourt zsh grml-zsh-config vim htop lsof strace 37 | 38 | # install development tools, needed only for Tor (? check this ?) 39 | #pacman -S base-devel 40 | 41 | # install dnsmasq for DHCP on eth0 42 | pacman -S dnsmasq 43 | 44 | # Install Tor 45 | pacman -S tor 46 | 47 | # install an HTTP proxy, optional 48 | pacman -S polipo 49 | 50 | # logrunner & tlsdate both need to be built :( 51 | 52 | ## Setup the hardware random number generator 53 | echo "bcm2708-rng" > /etc/modules-load.d/bcm2708-rng.conf 54 | pacman -Sy rng-tools 55 | # Tell rngd to seed /dev/random using the hardware rng 56 | echo 'RNGD_OPTS="-o /dev/random -r /dev/hwrng"' > /etc/conf.d/rngd 57 | systemctl enable rngd 58 | 59 | # set the time to UTC, because that's how we roll 60 | rm /etc/localtime 61 | ln -s /usr/share/zoneinfo/UTC /etc/localtime 62 | 63 | # set hostname to PORTAL \m/ 64 | echo "portal" > /etc/hostname 65 | 66 | # This is the config for Tor, lets set it up: 67 | cat > /etc/tor/torrc << __TORRC__ 68 | ## CONFIGURED FOR ARCHLINUX 69 | 70 | ## Replace this with "SocksPort 0" if you plan to run Tor only as a 71 | ## server, and not make any local application connections yourself. 72 | SocksPort 9050 # port to listen on for localhost connections 73 | # SocksPort 127.0.0.1:9050 # functionally the same as the line above 74 | SocksPort 172.16.0.1:9050 # listen on a chosen IP/port too 75 | 76 | ## Allow no-name routers (ones that the dirserver operators don't 77 | ## know anything about) in only these positions in your circuits. 78 | ## Other choices (not advised) are entry,exit,introduction. 79 | AllowUnverifiedNodes middle,rendezvous 80 | 81 | Log notice syslog 82 | 83 | DataDirectory /var/lib/tor 84 | 85 | ## The port on which Tor will listen for local connections from Tor controller 86 | ## applications, as documented in control-spec.txt. NB: this feature is 87 | ## currently experimental. 88 | #ControlPort 9051 89 | 90 | ## Map requests for .onion/.exit addresses to virtual addresses so 91 | ## applications can resolve and connect to them transparently. 92 | AutomapHostsOnResolve 1 93 | ## Subnet to automap .onion/.exit address to. 94 | VirtualAddrNetworkIPv4 10.192.0.0/10 95 | 96 | ## Open this port to listen for transparent proxy connections. 97 | TransPort 172.16.0.1:9040 98 | ## Open this port to listen for UDP DNS requests, and resolve them anonymously. 99 | DNSPort 172.16.0.1:9053 100 | 101 | __TORRC__ 102 | 103 | # 104 | # set up the ethernet 105 | cat > /etc/conf.d/network << __ETHCONF__ 106 | interface=eth0 107 | address=172.16.0.1 108 | netmask=24 109 | broadcast=172.16.0.255 110 | __ETHCONF__ 111 | 112 | cat > /etc/systemd/system/network.service << __ETHRC__ 113 | [Unit] 114 | Description=WStatic IP Connectivity 115 | Wants=network.target 116 | Before=network.target 117 | 118 | [Service] 119 | Type=oneshot 120 | RemainAfterExit=yes 121 | EnvironmentFile=/etc/conf.d/network 122 | ExecStart=/sbin/ip link set dev \${interface} up 123 | #ExecStart=/usr/sbin/wpa_supplicant -B -i \${interface} -c /etc/wpa_supplicant.conf # Remove this for wired connections 124 | ExecStart=/sbin/ip addr add \${address}/\${netmask} broadcast \${broadcast} dev \${interface} 125 | #ExecStart=/sbin/ip route add default via \${gateway} 126 | 127 | ExecStop=/sbin/ip addr flush dev \${interface} 128 | ExecStop=/sbin/ip link set dev \${interface} down 129 | 130 | [Install] 131 | WantedBy=multi-user.target 132 | __ETHRC__ 133 | 134 | systemctl enable network.service 135 | 136 | # should already be enabled 137 | systemctl enable ntpd.service 138 | 139 | # patch ntp-wait: strange unresolved bug 140 | sed -i 's/$leap =~ \/(sync|leap)_alarm/$sync =~ \/sync_unspec/' /usr/bin/ntp-wait 141 | sed -i 's/$leap =~ \/leap_(none|((add|del)_sec))/$sync =~ \/sync_ntp/' /usr/bin/ntp-wait 142 | 143 | cat > /usr/lib/systemd/system/ntp-wait.service << __NTPWAIT__ 144 | [Unit] 145 | Description=Wait for Network Time Service to synchronize 146 | After=ntpd.service 147 | Requires=ntpd.service 148 | 149 | [Service] 150 | Type=oneshot 151 | ExecStart=/usr/bin/ntp-wait -n 5 152 | 153 | [Install] 154 | WantedBy=multi-user.target 155 | __NTPWAIT__ 156 | 157 | systemctl enable ntp-wait.service 158 | 159 | # configure dnsmasq 160 | cat > /etc/dnsmasq.conf << __DNSMASQ__ 161 | # Don't forward queries for private networks (i.e. 172.16.0.0/16) to upstream nameservers. 162 | bogus-priv 163 | # Don't forward queries for plain names (no dots or domain parts), to upstream nameservers. 164 | domain-needed 165 | # Ignore periodic Windows DNS requests which don't get sensible answers from the public DNS. 166 | filterwin2k 167 | 168 | # Listen for DNS queries arriving on this interface. 169 | interface=eth0 170 | # Bind to port 53 only on the interfaces listed above. 171 | bind-interfaces 172 | 173 | # Serve DHCP replies in the following IP range 174 | dhcp-range=interface:eth0,172.16.0.50,172.16.0.150,255.255.255.0,12h 175 | 176 | # For debugging purposes, log each DNS query as it passes through dnsmasq. 177 | # XXX this is actually a good idea, particularly if you want to look for indicators of compromise. 178 | #log-queries 179 | __DNSMASQ__ 180 | 181 | # enable the dnsmasq daemon 182 | systemctl enable dnsmasq.service 183 | 184 | # setup the iptables rules 185 | cat > /etc/iptables/iptables.rules << __IPTABLES__ 186 | # Generated by iptables-save v1.4.16.3 on Thu Jan 1 01:24:22 1970 187 | *nat 188 | :PREROUTING ACCEPT [0:0] 189 | :INPUT ACCEPT [0:0] 190 | :OUTPUT ACCEPT [0:0] 191 | :POSTROUTING ACCEPT [0:0] 192 | -A PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 193 | -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053 194 | COMMIT 195 | # Completed on Thu Jan 1 01:24:22 1970 196 | # Generated by iptables-save v1.4.16.3 on Thu Jan 1 01:24:22 1970 197 | *filter 198 | :INPUT DROP [0:0] 199 | :FORWARD DROP [0:0] 200 | :OUTPUT ACCEPT [64:3712] 201 | -A INPUT -p icmp -j ACCEPT 202 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 203 | -A INPUT -i lo -j ACCEPT 204 | -A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT 205 | -A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT 206 | -A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT 207 | -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT 208 | -A INPUT -p tcp -j REJECT --reject-with tcp-reset 209 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 210 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable 211 | COMMIT 212 | # Completed on Thu Jan 1 01:24:22 1970 ## truf! 213 | __IPTABLES__ 214 | 215 | systemctl enable iptables.service 216 | 217 | # patch tor service: wait for ntpd to synchronize 218 | sed -i 's/After=network.target/After= network.target ntp-wait.service/' /usr/lib/systemd/system/tor.service 219 | 220 | # turn on tor, and reboot... it should work. 221 | systemctl enable tor.service 222 | -------------------------------------------------------------------------------- /flash-sdcard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # flash-sdcard.sh 3 | # 4 | # Automated Arch Linux ARM install script 5 | # This script installs the latest version of Arch Linux ARM to an SD card. 6 | # 7 | # Based on official installation recommendations: 8 | # https://archlinuxarm.org/platforms/armv6/raspberry-pi#installation 9 | # 10 | # This script requires the following input: 11 | # 1. The full path to a block device where Arch ARM is to be installed. 12 | # 13 | # This script performs the following actions: 14 | # 1. Creates 100MB vfat (boot) partition on specified block device; 15 | # 2. Creates ext4 (root) parition on remaining space; 16 | # 3. Creates a temporary directory for mount points and download; 17 | # 4. Downloads a tarball of the lastest ArchARM distribution; 18 | # 5. Extracts files to new root partition; 19 | # 6. Moves /boot directory to boot partiton. 20 | # 21 | # Usage: 22 | # bash flash-sdcard.sh /dev/sdcard 23 | # 24 | 25 | ## Set flags 26 | set -u 27 | #set -e # fdisk may throw error codes even on successful writes. 28 | 29 | ## Check if input value was given and exists. 30 | ## Show usage message if not. 31 | if [ $# -ne 1 ] || [ ! -e $1 ]; then 32 | echo 33 | echo "Valid path to SD card device is a required argument." 34 | echo 35 | echo "Example:" 36 | echo " bash $0 /dev/mmcblk0" 37 | echo 38 | exit 1 39 | fi 40 | 41 | ## Wipe SD card. 42 | #dd if=/dev/zero of=$1 43 | 44 | ## Create partitions using fdisk by simulating user input. 45 | ## (fdisk was not designed with non-interactive use in mind.) 46 | echo "o 47 | n 48 | p 49 | 1 50 | 51 | +100M 52 | n 53 | p 54 | 2 55 | 56 | 57 | p 58 | w 59 | q 60 | " | fdisk $1 61 | 62 | ## Sync changes and update partition table. 63 | sync; partprobe $1; sync 64 | 65 | ## Create tempory directory for mounts and download. 66 | cd `mktemp -d` 67 | mkdir boot root 68 | 69 | ## If partition numbering for the device follows sda -> sda1 format. 70 | if [ -e "$1"1 ]; then 71 | mkfs.vfat "$1"1 72 | mount "$1"1 boot 73 | mkfs.ext4 "$1"2 74 | mount "$1"2 root 75 | 76 | ## If partition numbering for the device follows mmcblk0 -> mmcblk0p1 format. 77 | else 78 | mkfs.vfat "$1"p1 79 | mount "$1"p1 boot 80 | mkfs.ext4 "$1"p2 81 | mount "$1"p2 root 82 | fi 83 | 84 | ## Download tarball 85 | SRC="http://archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz" #RasPi 86 | #SRC="http://archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz" #RasPi 2 87 | wget $SRC 88 | 89 | ## Download and verify PGP signature 90 | ## (Best practice, but disabled for simplicity's sake.) 91 | #wget "$SRC".sig 92 | #gpg --recv-keys 2BDBE6A6 93 | #gpg --verify $SRC 94 | 95 | ## Extract tarball 96 | tar -xf ArchLinuxARM-rpi-latest.tar.gz -C root 97 | sync 98 | mv root/boot/* boot # Move /boot files to boot partition 99 | sync 100 | 101 | ## Unmount mounts 102 | umount boot root 103 | 104 | ## We're done. 105 | --------------------------------------------------------------------------------