Introduction: Pi Shield
What it does: once setup, your Pi will broadcast a WiFi network. Any devices, such as phone/tablet/laptop, that connects to this WiFi will be shielded from inappropriate content. You can customize what will be filtered out based on banned site name, banned words, banned extension. The Pi will also enforce safe-search on Google and YouTube.
===> kid-friendly surfing
What we'll need:
- Raspberry Pi with usual SD card and power supply
- USB wifi dongle with Access Point (AP) functionality, consider one with external antenna to get longer range
What we'll do:
- Install the required packages on a fresh image
- Set up the Access Point
- Set up the Web Filtering: force Google SafeSearch
- Set up the Web Filtering: block Blacklisted sites
Optional: Automatic Installation Script
If you are more interested by the end result than the way to get there and you're eager to fire it up, just download this Automatic Installation Script.
- load a fresh Raspbian image on your SD card and connect to it through SSH
- download the script with: wget http://www.fasyl.com/rpi/bake_PiShield.sh
- make the file executable: chmod +x bake_PiShield.sh
- run the script with root privilege: sudo ./bake_PiShield.sh
- input the name, password and sub-network parameters when prompted
- you should now have the Pi broadcasting a new wifi network to which you can connect with your laptop, cell phone, tablet, etc. Any device connected to the wifi network will enjoy web-browsing shielded from 'adult' content.
Should you run into any trouble, drop a line in the comments below.
Step 1: Install Packages on a Fresh Image
When starting this project, I wanted a solution that will
- ban access to blacklisted sites
- enforce safe search on Google and Youtube
- not require any set-up on the end-user device
There are many options out there but I could not find one meeting all these criteria.
The sketch above outlines the typical network configuration for this project. The PiShield is wired to your router and acts as wifi access-point. Any devices connected to this wifi network will be shielded. Other devices connected directly to the router will not. Once connected to the PiShield wifi, there is no need for specific configuration on the laptop/table/phone; they will be protected right away. This means that visiting friends will also enjoy protection transparently.
Let's get into it. Grab an SD card and install your favorite image. The info in this post were based on a Raspbian-based distribution but should work on other with some tuning.
I picked the Raspian Jessie Lite as there is no need for a desktop environment on this project.
You may want to change the default password and expand the SD card before we install the required packages at the command prompt:
sudo apt-get install hostapd dnsmasq iptables squid3 dansguardian
hostapd is the daemon that will handle the wireless Access Point (ie allow devices to connect to your Pi through wifi)
dnsmasq and iptables will allow routign of the web traffic so that the devices can reach the Internet through your Pi
squid3 and dansguardian will filter out any web content unsafe for young eyes
Step 2: Set Up the Access Point
Consider getting a wifi dongle with an external antenna so that you get better range for your wifi network.
I am running a TP-LINK TL-WN722N. Works like a charm.
Please going any further, run two checks on your wifi dongle:
/!\ : ensure that your wifi dongle offers Access Point. Some do not.
To check this run iw list | grep -A 8 modes:at the command line. If AP does not show up in the supported modes, you are out of luck and will need another dongle.
/!\: ensure that your wifi dongle runs on a 80211 driver.
To check this run dmesg | grep -i 80211 at the command line. If nothing shows up, you are on your own... There is still hope but you will probably need to download other version of hostapd; this tutorial may help.
OK, let's fire up the wifi. To do so, we need to edit these files:
- in /etc/default/hostapd, type:
- in /etc/hostapd/hostapd.conf, type:
- in /etc/network/interfaces, type:
auto lo iface
lo inet loopback
inet manual auto wlan0
iface wlan0 inet static
up iptables-restore < /etc/iptables.ipv4.nat
- in /etc/dnsmasq.conf, type:
Of course, change the ssid (wifi network name) and passphrase (password) from /etc/hostapd/hostapd.conf to your liking.
At this point, if you restart hostapd with sudo service hostapd restart; sudo service dnsmasq restart, you should see the newly created wifi, connect to it and get an IP... but not yet be able to access the Internet.
To get to the Web, we need to route the traffic between the wired and wireless networks. To do so:
- in /etc/sysctl.conf, add:
- at the command line, run:
iptables -t nat -F
iptables -t nat -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A OUTPUT -o wlan0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -j ACCEPT
iptables-save > /etc/iptables.ipv4.nat
Alright! Open a browser from your phone/tablet and you should now be able to access the Web :)
Step 3: Set Up the Web Filtering: Force Google SafeSearch
Now that we can access the web, let's filter it to make it kids friendly.
First, we will enforce Google Safe Search by re-routing any Google and YouTube search to the forcesafesearch server per this tip from Google.
We simply need to go back to /etc/dnsmasq.conf and add:
Then restart the daemon at the comand line: sudo service dnsmasq restart
You should add the google and youtube extension for your country. Note that search directed to other google domains will not be filtered.
Step 4: Set Up the Web Filtering: Block Blacklisted Sites and Offensive Content
In our second step to filtering out inappropriate web content, we will rely on the great software DansGuardian.
This software will let you ban visit to pages based on site name (blacklist) and site content (weighted phrase).
This means that it not only locks out site like other blacklist system but also analyzes the actual text on the page, each inadequate words gets assign a score and if the total score is too high, the page gets banned.
DansGuardian comes with blacklist filtering capability but no blacklist. This can easily be added by downloading from free repositories. They are several alternatives out there. We will use the one maintained by University de Toulouse:
- download the blacklist with:
- extract the blacklists with:
sudo tar -C "/etc/dansguardian/list" -zxf blacklists.tar.gz
Now have a look at the blacklist content with ls /etc/dansguardian/lists. The banned sites are grouped by "theme": adult content, gambling, etc. Note down the names of the ones you would like to enable.
DansGuardian allows a lot of customization; here are the key configurations to set:
- comment out UNCONFIGURED in /etc/dansguardian/dansguardian.conf by adding a # in front:
#UNCONFIGURED - Please remove this line after configuration
- add blacklist filtering for the lists you selected by uncommenting them in /etc/dansguardian/lists/bannedsitelist: eg, to filter out adult content, remove the # on the line with /etc/dansguardian/lists/blacklists/adult/domains
- remove the content filtering based on Japanese and Chinese language as these can get confused and filter out non Asian sites. In /etc/dansguardian/lists/weightedphraselist, add a # in front of the lines with japanese and chinese.
- remove the filtering based on extensions as this will ban access to any .mp3 or .avi. In /etc/dansguardian/lists/bannedmimetypelist and /etc/dansguardian/lists/bannedextensionlist, add a # in front of the lines you whish to allow
- reload DansGuardian by running at the command line: sudo dansguardian -r
There is much more to customize in DansGuardian; for example, you can customize the page displayed when ones try to access a rejected page, you can filter extension types or filter with regex. Plenty of useful info can be found on:
Step 5: Enjoy a Clean Web
That was a rather long process but we are set. You should now have your Pi offering an Internet wifi access that will protect kids and grown-ups from 'bad' content.
Let's take it on a test drive ! Connect to the Pi's wifi and open your browser to visit:
- wikipedia: access granted, surfing as ususal
- google: access granted, search results will point you to safe content; for example, the first hits on tits will point you to birds, while image results will be reasonable naked.
- youtube: access granted, search results will indicate that access to some content has been banned by the administrator.
- tits.com or other site mentioned on one of the enabled blacklist: access banned
I hope you found this useful. If so, drop a quick line at: http://fasyl.com/rpi/pilog/PiLog.php