Introduction: Pi Shield

What it does: once setup, your Pi will broadcast a WiFi network. Any devices, such as phone/tablet/laptop, that connects to this WiFi will be shielded from inappropriate content. You can customize what will be filtered out based on banned site name, banned words, banned extension. The Pi will also enforce safe-search on Google and YouTube.
===> kid-friendly surfing

What we'll need:

  • Raspberry Pi with usual SD card and power supply
  • USB wifi dongle with Access Point (AP) functionality, consider one with external antenna to get longer range

What we'll do:

  • Install the required packages on a fresh image
  • Set up the Access Point
  • Set up the Web Filtering: force Google SafeSearch
  • Set up the Web Filtering: block Blacklisted sites

Optional: Automatic Installation Script
If you are more interested by the end result than the way to get there and you're eager to fire it up, just download this Automatic Installation Script.

  1. load a fresh Raspbian image on your SD card and connect to it through SSH
  2. download the script with: wget http://www.fasyl.com/rpi/bake_PiShield.sh
  3. make the file executable: chmod +x bake_PiShield.sh
  4. run the script with root privilege: sudo ./bake_PiShield.sh
  5. input the name, password and sub-network parameters when prompted
  6. you should now have the Pi broadcasting a new wifi network to which you can connect with your laptop, cell phone, tablet, etc. Any device connected to the wifi network will enjoy web-browsing shielded from 'adult' content.

Should you run into any trouble, drop a line in the comments below.

Step 1: Install Packages on a Fresh Image

When starting this project, I wanted a solution that will

  1. ban access to blacklisted sites
  2. enforce safe search on Google and Youtube
  3. not require any set-up on the end-user device

There are many options out there but I could not find one meeting all these criteria.

The sketch above outlines the typical network configuration for this project. The PiShield is wired to your router and acts as wifi access-point. Any devices connected to this wifi network will be shielded. Other devices connected directly to the router will not. Once connected to the PiShield wifi, there is no need for specific configuration on the laptop/table/phone; they will be protected right away. This means that visiting friends will also enjoy protection transparently.

Let's get into it. Grab an SD card and install your favorite image. The info in this post were based on a Raspbian-based distribution but should work on other with some tuning.

I picked the Raspian Jessie Lite as there is no need for a desktop environment on this project.

You may want to change the default password and expand the SD card before we install the required packages at the command prompt:

sudo apt-get install hostapd dnsmasq iptables squid3 dansguardian

hostapd is the daemon that will handle the wireless Access Point (ie allow devices to connect to your Pi through wifi)
dnsmasq and iptables will allow routign of the web traffic so that the devices can reach the Internet through your Pi
squid3 and dansguardian will filter out any web content unsafe for young eyes

Step 2: Set Up the Access Point

Consider getting a wifi dongle with an external antenna so that you get better range for your wifi network.
I am running a TP-LINK TL-WN722N. Works like a charm.

Please going any further, run two checks on your wifi dongle:

/!\ : ensure that your wifi dongle offers Access Point. Some do not.
To check this run iw list | grep -A 8 modes:at the command line. If AP does not show up in the supported modes, you are out of luck and will need another dongle.

/!\: ensure that your wifi dongle runs on a 80211 driver.
To check this run dmesg | grep -i 80211 at the command line. If nothing shows up, you are on your own... There is still hope but you will probably need to download other version of hostapd; this tutorial may help.

OK, let's fire up the wifi. To do so, we need to edit these files:

  1. in /etc/default/hostapd, type:
    DAEMON_CONF='/etc/hostapd/hostapd.conf'
  2. in /etc/hostapd/hostapd.conf, type:
    interface=wlan0
    driver=nl80211
    ssid=PiShield
    hw_mode=g
    channel=8
    wpa=2
    wpa_passphrase=PiShield123
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP
    beacon_int=100
    auth_algs=3
    wmm_enabled=1
  3. in /etc/network/interfaces, type:
    source-directory /etc/network/interfaces.d
    auto lo iface
    lo inet loopback
    iface eth0
    inet manual auto wlan0
    allow-hotplug wlan0
    iface wlan0 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    up iptables-restore < /etc/iptables.ipv4.nat
  4. in /etc/dnsmasq.conf, type:
    interface=wlan0
    dhcp-range=wlan0,192.168.0.2,192.168.0.9,255.255.255.0,12h
    dhcp-option=3,192.168.0.1

Of course, change the ssid (wifi network name) and passphrase (password) from /etc/hostapd/hostapd.conf to your liking.

At this point, if you restart hostapd with sudo service hostapd restart; sudo service dnsmasq restart, you should see the newly created wifi, connect to it and get an IP... but not yet be able to access the Internet.

To get to the Web, we need to route the traffic between the wired and wireless networks. To do so:

  1. in /etc/sysctl.conf, add:
    net.ipv4.ip_forward=1
  2. at the command line, run:
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i wlan0 -j ACCEPT
    iptables -A OUTPUT -o wlan0 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    iptables -A FORWARD -i wlan0 -j ACCEPT
    iptables-save > /etc/iptables.ipv4.nat
    sysctl -p

Alright! Open a browser from your phone/tablet and you should now be able to access the Web :)

Step 3: Set Up the Web Filtering: Force Google SafeSearch

Now that we can access the web, let's filter it to make it kids friendly.

First, we will enforce Google Safe Search by re-routing any Google and YouTube search to the forcesafesearch server per this tip from Google.

We simply need to go back to /etc/dnsmasq.conf and add:

address=/google.com/216.239.38.120
address=/google.no/216.239.38.120
address=/google.fr/216.239.38.120
address=/google.co.uk/216.239.38.120
address=/google.my/216.239.38.120
address=/google.be/216.239.38.120
address=/youtube.com/216.239.38.120
address=/youtube.no/216.239.38.120
address=/youtube.fr/216.239.38.120
address=/youtube.co.uk/216.239.38.120
address=/youtube.my/216.239.38.120
address=/youtube.be/216.239.38.120

Then restart the daemon at the comand line: sudo service dnsmasq restart

You should add the google and youtube extension for your country. Note that search directed to other google domains will not be filtered.

Step 4: Set Up the Web Filtering: Block Blacklisted Sites and Offensive Content

In our second step to filtering out inappropriate web content, we will rely on the great software DansGuardian.
This software will let you ban visit to pages based on site name (blacklist) and site content (weighted phrase).
This means that it not only locks out site like other blacklist system but also analyzes the actual text on the page, each inadequate words gets assign a score and if the total score is too high, the page gets banned.

DansGuardian comes with blacklist filtering capability but no blacklist. This can easily be added by downloading from free repositories. They are several alternatives out there. We will use the one maintained by University de Toulouse:

  1. download the blacklist with:
    wget http://cri.univ-tlse1.fr/blacklists/download/blac...
  2. extract the blacklists with:
    sudo tar -C "/etc/dansguardian/list" -zxf blacklists.tar.gz

Now have a look at the blacklist content with ls /etc/dansguardian/lists. The banned sites are grouped by "theme": adult content, gambling, etc. Note down the names of the ones you would like to enable.

DansGuardian allows a lot of customization; here are the key configurations to set:

  1. comment out UNCONFIGURED in /etc/dansguardian/dansguardian.conf by adding a # in front:
    #UNCONFIGURED - Please remove this line after configuration
  2. add blacklist filtering for the lists you selected by uncommenting them in /etc/dansguardian/lists/bannedsitelist: eg, to filter out adult content, remove the # on the line with /etc/dansguardian/lists/blacklists/adult/domains
  3. remove the content filtering based on Japanese and Chinese language as these can get confused and filter out non Asian sites. In /etc/dansguardian/lists/weightedphraselist, add a # in front of the lines with japanese and chinese.
  4. remove the filtering based on extensions as this will ban access to any .mp3 or .avi. In /etc/dansguardian/lists/bannedmimetypelist and /etc/dansguardian/lists/bannedextensionlist, add a # in front of the lines you whish to allow
  5. reload DansGuardian by running at the command line: sudo dansguardian -r

There is much more to customize in DansGuardian; for example, you can customize the page displayed when ones try to access a rejected page, you can filter extension types or filter with regex. Plenty of useful info can be found on:

Step 5: Enjoy a Clean Web

That was a rather long process but we are set. You should now have your Pi offering an Internet wifi access that will protect kids and grown-ups from 'bad' content.

Let's take it on a test drive ! Connect to the Pi's wifi and open your browser to visit:

  • wikipedia: access granted, surfing as ususal
  • google: access granted, search results will point you to safe content; for example, the first hits on tits will point you to birds, while image results will be reasonable naked.
  • youtube: access granted, search results will indicate that access to some content has been banned by the administrator.
  • tits.com or other site mentioned on one of the enabled blacklist: access banned

I hope you found this useful. If so, drop a quick line at: http://fasyl.com/rpi/pilog/PiLog.php

Comments

author
FabGui made it! (author)2016-03-24

Effective web filtering, very stable operation, great WiFi range and quite compact !

box.jpg
author
derrickisonline (author)FabGui2017-07-25

This is great! Just what I was looking for. I want my girls to have their own AP that's filtered. The only problem is my wireless clients don't seem to pick up an IP from the DHCP server. I keep getting a 169.x.x.x.x. Any ideas on why DHCP isn't handing out the 172.35.35.x IP range I set? Also, I'm using a Raspberry Pi 2 for this, is that an issue? Also, the part of your script that checks to see if I'm using an adapter that supports AP mode iw list | grep -A 8 gives iw: command not found so I commented that out so the install would finish. I ran that command from the cmd prompt as well to ensure the script wasn't the issue same thing. Could that be related to the DHCP issue I'm having?

author

Nevermind, I went ahead and installed isc-dhcp-server and all is good now. This is wonderful!!

author

Oh and of course thank you!

author
si2009 (author)2017-02-01

It just works. Thanks for a great script.

author
EdwardS29 (author)2016-04-11

This is even simpler if you are using the Raspberry Pi 3 - it's onboard WiFi is inherently Access-point capable.

author
Tat-CheeW (author)EdwardS292016-11-08

Does anyone have information regarding the RF range of the built-in RPi3 WiFi module?

author
edwinkort (author)2016-03-27

thanks. I even like it that you made an auto install script for us people that are not that techy

About This Instructable

1,797views

23favorites

More by FabGui:Pi Shield
Add instructable to: