Drogueship 🜨

Further Forward

Category: raspberry pi

Nftables examples

Nftables examples

Posted on by Gus

These nftables firewall examples are from my previous house and all require ipv4.forward to be enabled in /etc/sysctl.conf as well as runing a dhcp server when plugging into an existing routers WAN port.

This allowed me to use raspberry pi’s and usb network adaptors instead of more permanent hardware

The first and last examples were between the nbn box and the internet service providers supplied router. It ended up with some ipv6 and nftables rules in the final one

There are some port forwards, with a few different conditions explained in the comments

There are rules for a few dodgy packets but this is possibly not the ideal way of doing it all but are provided as samples for those googling the subject, hi

This one was for going between the router and nbn box using a usb network card for the wan connection.


#!/sbin/nft -f

flush ruleset

table ip filter {
# allow all packets sent by the firewall machine itself
       chain output {
              type filter hook output priority 100; policy accept;
       }
# allow LAN to firewall, disallow WAN to firewall
       chain input { type filter hook input priority 0; policy drop;
              iifname “eth0” counter accept comment “accept eth0”
              iifname “eth1” ct state established,related counter accept comment “accept traffic from us”
              iifname “wlan0” counter accept comment “accept wlan0”
              iif lo counter accept comment “accept loopback”
              iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
              ip protocol icmp counter accept comment “accept all ICMP types”
              iifname “eth1” tcp dport 22 counter accept comment “accept SSH”
              counter comment “count dropped packets”
       }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
       chain forward {
              type filter hook forward priority 0; policy drop;
              iifname “eth0” oifname “eth1” counter accept comment “eth0 to eth1”
              iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
              iifname “eth1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
              counter comment “count dropped packets”
       }
}
table ip nat {
       chain early_packet_filter {
               # prio -150 is before pre routing in nat table and after connection tracking (-200)}
              type filter hook prerouting priority -150; policy accept;
               # drop badly formed packets
               ct state invalid drop
              tcp flags & (fin|syn|rst|ack) != syn ct state new drop
              tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
         tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
       tcp flags syn tcp option maxseg size 1-536 drop
        }
chain prerouting {
       type nat hook prerouting priority 0; policy accept;
       # exceptions
        iifname “eth1” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “eth1” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “eth1” counter masquerade comment “masquerade”
        }
}

butles was using a usb WiFi adaptor for the internet (wlan1) on board WiFi for a gopro network (wlan0) and wired connection to the garages router’s wan port (eth0)

#!/sbin/nft -f

flush ruleset

table ip filter {
        # allow all packets sent by the firewall machine itself
        chain output {
                 type filter hook output priority 100; policy accept;
         }
         # allow LAN to firewall, disallow WAN to firewall
        chain input {
                 type filter hook input priority 0; policy drop;
                 iifname “wlan0” counter accept comment “accept wlan0”
                 iifname “wlan1” ct state established,related counter accept comment “accept traffic from us”
                 iifname “eth0” counter accept comment “accept eth0”
                 iif lo counter accept comment “accept loopback”
                 iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
                 ip protocol icmp counter accept comment “accept all ICMP types”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 22 counter accept comment “accept SSH from garage”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 5000 counter accept comment “accept OCTOPRINT”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 8080 counter accept comment “accept WEBCAM”
                 iifname “wlan1” ip saddr 192.168.2.0/24 tcp dport 24800 counter accept comment “accept SYNERGY from routers wan port”
                 counter comment “count dropped packets”
         }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
         chain forward {
                type filter hook forward priority 0; policy drop;
                 iifname “wlan0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
                 iifname “wlan1” oifname “wlan0” ct state related,established counter accept comment “external to wlan0”
                 iifname “wlan1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
                counter comment “count dropped packets”
         }
}
table ip nat {
         chain early_packet_filter {
                 # prio -150 is before pre routing in nat table and after connection tracking (-200)}
                 type filter hook prerouting priority -150; policy accept;
                 # drop badly formed packets
                 ct state invalid drop
                 tcp flags & (fin|syn|rst|ack) != syn ct state new drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
                 tcp flags syn tcp option maxseg size 1-536 drop
         }
        chain prerouting {
                 type nat hook prerouting priority 0; policy accept;
         }

         # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
         chain postrouting {
                 type nat hook postrouting priority 100; policy accept;
                 oifname “wlan1” counter masquerade comment “masquerade”
         }
}


backup of pppoe nbn. Needed a vlan id and authentication copied from supplied routers admin page. Also includes fail2ban and ipv6

#!/sbin/nft -f

flush ruleset
include “/etc/nftables/fail2ban.conf”

table ip fail2ban {
    chain input {
        type filter hook input priority 100;
    }
}

table ip filter {
    # allow all packets sent by the firewall machine itself
    chain output {
        type filter hook output priority 100; policy accept;
    }

    # allow LAN to firewall, disallow WAN to firewall
    chain input { type filter hook input priority 0; policy drop;
    iifname “eth0” counter accept comment “accept eth0”
    iifname “eth1” counter accept comment “accept eth1”
    iifname “ppp0” ct state established,related counter accept comment “accept traffic back from us”
    #iifname “ppp0” counter accept comment “accept traffic from us”
    iifname “wlan0” counter accept comment “accept wlan0”
    iif lo counter accept comment “accept loopback”
    iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
    ip protocol icmp counter accept comment “accept all ICMP types”
    iifname “ppp0” tcp dport 22 counter accept comment “accept SSH”
    iifname “ppp0” tcp dport 23 counter accept comment “accept SSH to slab”
    iifname “ppp0” tcp dport 443 counter accept comment “accept HTTPS to slab”
    counter comment “count dropped packets”
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
    type filter hook forward priority 0; policy drop;
    iifname “eth0” oifname “ppp0” counter accept comment “eth0 to eth1”
    iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
    iifname “ppp0” oifname “eth0” ct state related,established counter accept comment “external to eth0”
    counter comment “count dropped packets”
    }
}
table ip nat {
    chain early_packet_filter {
        # prio -150 is before pre routing in nat table and after connection tracking (-200)}
        type filter hook prerouting priority -150; policy accept;
        # drop badly formed packets
        ct state invalid drop
        tcp flags & (fin|syn|rst|ack) != syn ct state new drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
        tcp flags syn tcp option maxseg size 1-536 drop
    }
    chain prerouting {
        type nat hook prerouting priority 0; policy accept;
        # exceptions
        iifname “ppp0” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “ppp0” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
    }

# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “ppp0” counter masquerade comment “masquerade”
    }
}

table ip6 firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept

    # drop everything else
    drop
  }
}

Self hosted web sites for older browsers with the Raspberry Pi

Self hosted web sites for older browsers with the Raspberry Pi

Posted on by Gus
The modern internet is too much for the old ipad. Secure sites and the latest javascript features render most of the internet unusable

The solution for this was to use self hosted sites to make the early 2000’s versions of safari and chrome usefull again, but it could also be usefull on other devices

  • 210gb of a portion of the internet
  • Wikipedia images were a little slow to load, perfect for the period
  • There are a few forums available
  • More ebooks than you could poke a stick at
  • Opened in the books app too
  • Video plays great, no sound though
Kiwix
https://www.kiwix.org/en/
allows you to download and serve portions of the internet offline and works well, except for the audio in video playback on TED backups on an ipad1 running ios 5.1.1

Keep in mind you will need a fair bit of storage for kiwix, 53gb for Project Gutenberg ebooks or 78gb for wikipedia with no video’s. There are quite a few sites available that are a lot smaller

  • Due to limited space on the device, it is nice to have access to music streaming
  • There are heaps of old productivity and collaboration tools out there
  • It wouldn’t be an offline internet party without access to a database
The workaround I used for other internal sites was to go digging through the old linux package mirrors and use self hosed sites prior to december 2009 at first. The catch is that you have to run php5.6 or earlier to get them to work

The following command will add a repository on the pi, enabling you to use apt to grab whatever php modules you need

wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add – echo “deb https://packages.sury.org/php/ buster main” > /etc/apt/sources.list.d/php.list

On the pi zero and pi1 A and B this won’t work, you will need to compile php from source as I couldn’t find a package for ARMv6 architecture

I used mariadb-server-10.0 for older ampache versions to support obsolete features but I did have to edit a few SQL files and replace instances of TYPE= with ENGINE= to get them going

And remember…

Do not host these on the internet. This is for internal use only due to vulnerabilities in old software versions

Raspberry Pi Radio

Raspberry Pi Radio

Posted on by Gus

Setting up your Raspberry Pi to send music over FM could be used to play the same music in every room of the house and even outside at the same time, rather than just one set of speakers, without the latency of some wifi enabled products.

I chose to control what it is playing with ampache, a web based music player that plays via your internet browser and in our case, it sends it to MPD, a music streaming server. MPD then sends it to PiFmRds to send it over the airwaves.

This can’t really be followed as a tutorial without some prior knowledge but I thought I would give you the idea of what is involved in setting up a short range FM radio station. if you do pop an antenna on it (which you shouldn’t for legal reasons) it will not go much further than the walls of your house with a 10cm wire. With a newer radio, it can broadcast a station name and some scrolling text with your audio.

If you are using the 3.5mm headphone jack for your speakers on your pi at the moment, you are going to have a bad time. When PiFmRds broadcasts you will hear an incredibly loud squeal from your pi’s speakers regardless of your volume and overclocking the speed of your pi will make it worse. So only use your HDMI audio as your normal audio output

When you are not playing music the radio will stop transmitting so you will hear static again so make sure you create a nice long queue of music.

Due to Youtube being a spoil sport when it comes to playing music in your video’s here is the volume turned down and the sound of… I have no idea what that sound is.

The white wires connect red for the antenna on the right (GPIO4) and black for ground on the left (ground is not required for transmitting over the air)

This should not be your first project, it could inspire one or be picked apart but be warned, this won’t make sense to everyone

Use the instructions on the following link to Install PiFmRds

https://github.com/ChristopheJacquet/PiFmRds

Ideally you want to type

sudo apt install ampache mpd

but I gave up trying to get ampache to install with apt on my pi 4 due to a dependency issue with raspbian at my end so I used the next command instead and then installed the rest manually by downloading the latest version from http://ampache.org/

sudo apt install mpd apache2 mariadb-server mariadb-client php php-common php-mysql php-curl php-xml composer php-gd ffmpeg

It will ask you to set a password for mariadb, you will need it in a second when you run the following command to turn off insecure options in the database server

mysql_secure_installation

The web server will need AllowOverride All turned on to allow ampache to access your music collection so you don’t have to put it in your web servers root folder. They do this so people can’t download it all of your music without logging in using a couple of .htaccess files

put the contents of the zip file you downloaded in /var/www/html and enter your pi’s IP address into your browser to start setting it up

Enter your databases root password and tick Create a database user with the bottom tickbox. Don’t stress too much about the username and password for the ampache user, you won’t be using it. it is for ampache to talk to the database behind the scenes.

At the end of the process, it will create a conf file and a couple of .htaccess files that you will need to download and put into the appropriate folders but keep in mind you might have to rename them. For example downloading all of them, files like htaccess(2) will have to be renamed to .htaccess again.

Next you need to open your new ampache site and add a localplay instance so ampache knows how to talk to mpd. by default, mpd doesn’t use a password

Then add some music

At this stage you could use the web player in the drop down box, up in the top right corner to test everything so far. When its all running, it will transmit using localplay. You can do local play to FM and web players at the same time

comment out the ALSA output

and add the following at the end of your outputs (you can only have one output)

audio_output {
type "pipe"
name "PiFm"
command "sudo sh /home/pi/piradio.sh"
format "44100:32:2"
}

the piradio.sh script that it runs contains one big line that pipes mpd’s output as a WAV file to PiFmRds

sox -t raw -b 32 -c 2 -r 44100 -e signed-integer - -t wav -b 32 -c 2 -r 44100 - | sudo /home/pi/PiFmRds/src/pi_fm_rds -ctl /home/pi/rds_ctl -freq 88.0 -ps RPi-Live -rt "Streaming from a Raspberry Pi" -audio -

Thats it!

Streaming Digital TV with the Raspberry Pi

Streaming Digital TV with the Raspberry Pi

Posted on by Gus

TVHeadend is now in the Raspbian software repo and if you have a USB Digital TV Tuner (DVB-T) you can stream live TV, timeshift and record.
Before you get the pitchforks out and start with the “HaVEn’T YoU heARd AboUT CaTChUP Tv?!” on me, let me explain.

Have a Shitty TV and no DVR? sorted

no internet? you’re good

love Kodi or vlc? it works with them

someone is using the TV and someone else is choking your connection with bittorrent? yep, you can still watch TV

The only other things you need to know is that the web interface is useless for streaming in the brower. A Pi 3 can only stream radio channels on it and a Pi 4 with 4gb of ram can only do standard definition. Don’t bother trying transcoding either. Sadly not all HD Channels are rebroadcast in SD so what you need to use it smoothly is Kodi or Vlc.

The play program button in the web frontend will download a m3u file which will open in Vlc or other video players.

Kodi will integrate the TV Guide and other features too.

This probably doesn’t appeal to everyone but it can be done. The people it does appeal to probably don’t watch much TV and the remainder will be pissed that this is not a tutorial.

Raspberry Pi in the car

Raspberry Pi in the car

Posted on by Gus

This project was a big one. Displaying text only GPS information on the screen in the car. The Pi has no way to use the touchscreen input so you control it with Tasker on a smart watch, using services from your phone. It shows you your speed, GPS Coordinates and the street you are on by default but can show more with a push of a button.

I recommend NOT trying this but the startonbt.sh code was fun so have a look if bluetooth and bash are your thing.

more info and code here

Raspberry Pi Answering Machine

Raspberry Pi Answering Machine

Posted on by Gus

Only get scam calls or telemarkers that don’t respect the “do not call” list on your home phone?

Got a Raspberry Pi and a recent/shitty USB Modem?

This script will answer the phone, play a greeting and record a short message and let you listen to it at your leisure in a web browser.

By default it will store the message as an mp3 and play it if you have speakers attached.

There is logging and some conditions to see what you can do, if you want to add touch tone menus and run scripts.

This script was made for the fish but the motor movements have been removed in the link.

more details and the files can be found here soon

Theme: Overlay by Kaira