Category Archives: linux

PORTAL for Debian

Rockstar hacker and OPSEC aficionado, the grugq, has detailed how to setup a Raspberry Pi as a transparent Tor proxy of sorts.   This has a number of advantages over using something like the Tor browser bundle or manually pointing your applications at Tor.  The main advantage is that it limits your ability to misconfigure the application such that it leaks information or worse, isn’t actually using Tor at all.   By setting up a dedicated captive Tor portal, you can be fairly certain that all TCP traffic is going through Tor. All UDP traffic destined for port 53 (DNS) is redirected to the Tor daemon and everything else is dropped.

His instructions are here:  https://github.com/grugq/PORTALofPi. My instructions are basically verbatim from his build.sh script.

The instructions below use vanilla Debian 7 x86 on an old netbook.  The only extra hardware I used is a USB ethernet adapter (e.g.: MosChip Semiconductor MCS7830 10/100 Mbps Ethernet adapter).   If you’re clever, you could use the internal wifi card to setup a WAP for the captive portal.


April 6, 2014 Update:
@asshurtACKFlags has some instructions that uses a Raspberry Pi and Raspbian.

https://github.com/asshurtmacfags/PORTALofRaspian


March 3, 2014 Update:
There may be an issue when trying to access .onion addresses. Details and a fix are here: https://github.com/grugq/PORTALofPi/issues/16. I cannot replicate the issue. e.g. accessing DDG via the .onion at http://3g2upl4pq6kufc4m.onion/ works on the configuration documented below.

There is also a similar project here: http://learn.adafruit.com/onion-pi/overview. It also uses a Raspberry Pi.

Step 1: Setup the interfaces

eth0: The internets, however you get it. I’d recommend a non-NAT’d IP.
eth1: This is the private captive network.  You can put a wireless access point on this network so you can use a tablet.

Edit /etc/network/interfaces

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
  # Comment out the line below, once you have the network working and tor configured
  # pre-up iptables-restore < /etc/network/iptables.tor.rules
  address 172.16.0.1
  network 172.16.0.0
  netmask 255.255.255.0

Step 2: Install Tor and dnsmasq (for dhcp)

apt-get install tor dnsmasq

Step 3:  Configure Tor

This sets up Tor as a transparent proxy.

cp /etc/tor/torrc /etc/tor/torrc.backup
cat > /etc/tor/torrc << __TORRC__
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
DataDirectory /var/lib/tor
SocksPort 9050
SocksBindAddress 127.0.0.1
SocksBindAddress 172.16.0.1:9050
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
DNSPort 9053
DNSListenAddress 172.16.0.1
__TORRC__

Step 4: Configure dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
cat > /etc/dnsmasq.conf << __DNSMASQ__
bogus-priv
filterwin2k
interface=eth1
bind-interfaces
dhcp-range=172.16.0.50,172.16.0.150,12h
__DNSMASQ__

Step 5: Setup IP tables

cat > /etc/network/iptables.tor.rules << __IPTABLES__
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
# The rule below allows SSH access on the external interface, delete this if you don't want that.
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
__IPTABLES__

**** Go and uncomment the pre-up rule in /etc/network/interfaces ****

Step 6: Reboot and plug something into eth1

Mounting an encrypted LVM volume in Ubuntu

For whatever reason, finding simple instructions on mounting an encrypted LVM volume with Ubuntu is hard. Setting up encryption at install time and then unlocking the volume at boot time is very simple and transparent. If you take the hard drive out and attempt to mount on another machine, it isn’t so simple (or maybe I’m just doing this wrong).

1. Run fdisk and make sure you can see the partitions. In my case the drive showed up as sdd.

# fdisk -l /dev/sdd
Disk /dev/sdd: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000a29e1

Device Boot Start End Blocks Id System
/dev/sdd1 * 2048 499711 248832 83 Linux
/dev/sdd2 501758 488396799 243947521 5 Extended
/dev/sdd5 501760 488396799 243947520 83 Linux

In a typical Ubuntu installation, the /dev/sdx5 partition is what you want to mount.

2. Run cryptsetup to unlock the volume

# cryptsetup luksOpen /dev/sdd5 olddrive
Enter passphrase for /dev/sdd5:

3. vgscan will show you the volume groups contained in the encrypted volume.

# vgscan
Reading all physical volumes. This may take a while...
Found volume group "dt" using metadata type lvm2

The volume groups you find will likely be the same as your hostname (e.g. johns-laptop)

4. Activate the volumes and mount the old root.

# vgchange -a y
2 logical volume(s) in volume group "dt" now active
# lvscan
ACTIVE '/dev/dt/root' [224.76 GiB] inherit
ACTIVE '/dev/dt/swap_1' [7.88 GiB] inherit
# mkdir /media/olddrive; mount /dev/dt/root /media/olddrive

5. Your old root volume is now available at /media/olddrive.

What’s going on here? Maybe this helps?

# lsblk
[...]
sdd 8:48 0 232.9G 0 disk
├─sdd1 8:49 0 243M 0 part
├─sdd2 8:50 0 1K 0 part
└─sdd5 8:53 0 232.7G 0 part
└─olddrive (dm-1) 252:1 0 232.7G 0 crypt
├─dt-root (dm-2) 252:2 0 224.8G 0 lvm
└─dt-swap_1 (dm-3) 252:3 0 7.9G 0 lvm

All done? Unmount.

# umount /media/olddrive
# vgchange -a n dt
0 logical volume(s) in volume group "dt" now active

At this point you should be able to do the following.

# cryptsetup luksClose olddrive

… however I seem to have run into a bug that reports the device is busy.

MP3 streaming with MPD in Ubuntu 10.04

Nov 13, 2010 update: 0.16 alpha3 build
mpd_0.16~alpha3+git20101108.46ab8d1-0ubuntu1~ripps1~lucid_i386.deb

I have not tested this build! My mpd box is now on 10.10 and I haven’t rebuilt mpd for it yet.

Sept 11, 2010 update: 0.16 alpha2 build
mpd_0.16~alpha2+git20100803.68c02fc-0ubuntu1~ripps1~lucid_i386.deb

June 13, 2010 update: an updated build mpd_0.15.10+git20100608.53f08a9-0ubuntu1~ripps1~lucid_i386.deb

As of mpd 0.15, there is built in support for http streaming as an output.   Rather than using Icecast, mpd does the streaming itself.    By default 10.04 uses mpd 0.15.4, however I had problems getting the built in http streaming to work.   Also, the build included in the repository does not have lame support so it could not stream mp3, only ogg vorbis or possibly flac which many players don’t support. For example, I’m using a Roku Soundbridge with does not decode ogg.

I figured a recompile was in order. The first thing I did was add the mpd trunk PPA to /etc/apt/sources.list

deb http://ppa.launchpad.net/gmpc-trunk/mpd-trunk/ubuntu lucid main
deb-src http://ppa.launchpad.net/gmpc-trunk/mpd-trunk/ubuntu lucid main

After that, I downloaded the source deb and modified debian/rules and changed DEB_CONFIGURE_USER_FLAGS to include –enable-lame-encoder.

DEB_CONFIGURE_USER_FLAGS += $(WITH_TREMOR) --enable-sqlite --enable-un   
--enable-ao --enable-openal --enable-wildmidi --enable-sndfile --enable-pipe-output --enable-lame-encoder

A rebuild required about 800MB of dependencies. The result is the latest version of mpd with built in support for mp3 streaming.

You can grab my .deb here: mpd_0.15.9+git20100520.8945736-0ubuntu1~ripps1~lucid_i386.deb

My mpd.conf has an output section that looks like this:

audio_output {
        type                    "httpd"
        name                  "mpd stream"
        port                    "8080"
        bitrate                 "192"
        format                 "44100:16:1"
        encoder               "lame"
}

To get your device or player to stream properly, you may have to give it a playlist file. This can be hosted on any web server or can even be a local file.

mpd.pls:


NumberOfEntries=1
File1=http://myhost:8080/