用隻pi做firewall及reverse proxy 教學

啱啱見有朋友仔話自己隻NAS比hacker hijack同encrypted佐隻碟, 而其實呢件咁不幸既事係2019年10月份都發生過係我身上.咁橋係錯有錯著情況之下,我都分享一下我既方案比大家做reference. 就係用一隻好simple既pi 或 linux base既 appliance係做Firewall + reverse proxy去reduce個risk.


先講一下通常大家錯乜野先啦, 一舨情況大家都係錯在貪方便而且當隻NAS好叻好secure, 直接張隻NAS放出DMZ, 呢個根本就係最戇鳩既setup, 但我其實都戇鳩

相對黎講其實咁樣會比較安全, 就係只放隻appliance (i.e. Pi)出DMZ而其他就方返入 intranet.

先同大家睇下我件玩具先啦, 我今次玩既Appliance係nano pi neo2 black, 個spec大致如下

CPU: Allwinner H5, Quad-core 64-bit high-performance Cortex A53
DDR3 RAM: 1024MB
Connectivity: 10/100/1000M Ethernet, RTL8211E-VB-CG chip
USB Host: USB Type A x 1 and USB pin header x 2
MicroSD Slot: MicroSD x 1 for system boot and storage
LED: Power LED x 1, System LED(Blue) x 1
GPIO1: 2.54mm pitch 24 pin-header, compatible with Raspberry Pi's GPIO pin1 - pin 24. It includes UART, SPI, I2C, IO etc
GPIO2: 2.54mm pitch 12 pin-header. It includes USB, IR receiver, I2S, IO etc
Serial Debug Port: 2.54mm pitch 4pin-header
Audio In/Out: 2.0mm pitch 4 pin-header
PCB Dimension: 40 x 40mm
MicroUSB: Power input(5V/2A) and OTG

既然係做教學, 我直接wipe佐本身用開既image, start from square one同大家玩.
Step 1 – Install OS
呢個step因為每個Linux都大至一樣,去 repository download個image再flash落張SD Card就完成. flash完個OS, 直接比電佢就會boot得起個OS, DHCP都會派IP比你

Step 2 – SSH 入 OS
因為我呢隻appliance無HDMI/VGA output, 所以最簡單既方法係插LAN再用ArgryIP掃IP
當你掃到啱既IP就直接ssh 入去就可以架啦(我用最premitive既putty)

Step 3 – Update同upgrade kernel及package

apt-get update -y
apt-get upgrade -y



Step 4 – Install ufw
ufw係linux係waf, 我係下面再教大家玩, 而家先做installation

apt-get install ufw

Step 5 – install nginx
nginx係apache既alternative, 我係另一篇教學都已經出過場, 都係下面再教大家玩, 而家先做installation

apt-get install nginx

Step 6 – sync system clock
如果係部Appliance未有RTC, 你可以係/etc/crontab加入加面呢句, 咁就會幫你同步全球

## sync clock from google
45 *    * * *   root date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
## sync clock from google

而如果只想sync一次個clock就可以直接行呢句

date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

當你做好晒上面呢幾樣野, 你個appliance其實已經叫做up and running架啦.

Author: Adrian

Just a fxxking moron who see bad money drives out good!

Leave a Reply