In the last months I've been using pi-hole to block ads/trackers/etc, here's a guide based on the official document and examples found on different sites/blogs.
I'm using a Raspberry Pi 2 Model B along with raspbian
- Download/install/configure pi-hole
# curl -sSL https://install.pi-hole.net | bash
The installation script runs and you'll be shown the following: "This installer will transform your device into a network-wide ad blocker! "
The next step requires you to provide the DNS upstream servers, consider using the Cloudfare DNS servers 1.1.1.1 and 1.0.0.1 or the DNS server you want.
The installation is done and you should get the message:
Installation Complete!
The next steps depends on your home network configuration, on your router find the section where you set the DNS server and use the ip address that you configured for pi-hole.
Now, open your favorite web browser and point it to the ip address assigned to the host where you are doing this configuration adding /admin at the end.
You'll be at the main dashboard of pi-hole and you can see the stats/settings/logs, add more lists.
I didn't give more details about the installation of pi-hole 'cause those are well covered by the documentation provided by the team developing pi-hole, what I didn't found was a section explaining how to add a little more security using a firewall.
- Configure a firewall.
This section is about how to make iptable configurations to load on every reboot.
If you want to know about building proper rules, please do your own research.
I use iptables but you might want to use ufw or any other option available to configure your own firewall, some steps to take before going further:
# apt-get dist-upgrade
# apt-get update
# apt-get update
Then I installed iptables-persistent package with apt-get command:
# apt-get install iptables-persistent
On the menu, selected Yes for the rules.v4 file. The second choice was rule.v6 and IPv6 support, configure them based on your network configuration.
Then, edit the file rules.v4
# vi /etc/iptables/rules.v4
Now you can see the existing iptables configuration, no rules are setup yet, it is completely empty:
# Generated by iptables-save v1.6.0 on Mon Apr 29 03:27:41 2019
*filter
:INPUT ACCEPT [5897:7430402]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1767:169364]
COMMIT
# Completed on Mon Apr 29 03:27:41 2019
Now you can see the existing iptables configuration, no rules are setup yet, it is completely empty:
# Generated by iptables-save v1.6.0 on Mon Apr 29 03:27:41 2019
*filter
:INPUT ACCEPT [5897:7430402]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1767:169364]
COMMIT
# Completed on Mon Apr 29 03:27:41 2019
You can start building your iptables using this file, adding the rules you need one per line before the COMMIT command. When you're done, save the file.
Also, I found a suggestion to add at least the following rule, in order to validate:
-A INPUT -p icmp -m icmp –icmp-type 8 -j REJECT
-A INPUT -p icmp -m icmp –icmp-type 8 -j REJECT
Now ping your device, it should respond normally and perform a reboot:
# reboot
When your device is back on do a ping request again and this time you should get the “Destination port unreachable” message. Now feel free to add the rest of the rules you need.
If your line COMMIT fails maybe there are some mistakes before this line. Check each single line in your configuration file.
After I configured iptables and added more lists to pi-hole the amount of ads I saw decreased considerably but you might have to check if those lists are maintained/available or search for new.
Sometimes you might be unable to access them with no error message or something that gives you a clue why, just remember that you have a pi-hole and search the logs, disable it for a few minutes and confirm you can access the web site, after that you'll have to search which list is blocking it, contact the person who provide the list and ask to remove it or add it to the "white list" section.
I would like to see other options in the future, like configurations for specific devices, more details from the stats. So far so good, it does what is says, block the ads and it works also for an openvpn mobile client!!!
