wifi-setup
PI COMMAND LINE WIFI SETUP
This isn't so much a project as a place to store my hard-won knowledge for my own future use. Maybe you'll also find it useful.
WHY
If you're using the Raspbian Lite image, you don't have access to the normal graphic WiFi setup tools. Setup can be done from the command line, but finding complete information is difficult. And the new init system has changed things a bit from what others have documented. Here's what worked for me:
HOW
Type the following. Replace ssid and password with the values needed for your access point:
wpa_passphrase ssid password > /etc/wpa_supplicant/wpa_supplicant.conf
systemctl enable wpa_supplicant
In the /etc/wpa_supplicant/wpa_supplicant.conf file there is a line with a # symbol and your password in it. This can be removed for added security.
Edit the /etc/network/interfaces file. Make the wlan0 section look like the following:
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
If you want to set up a minimal firewall add the following lines to the /etc/rc.local file:
#mitigate glibc vulnerability
iptables -I INPUT -p udp --sport 53 -m length --length 511:65535 -j DROP
iptables -I INPUT -p udp --dport 53 -m length --length 511:65535 -j DROP
#allow www on external
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o wlan0 -p tcp -m multiport --dports 80,443
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i wlan0 -p tcp
#allow ping on external
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o wlan0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i wlan0 -p icmp
#allow dns on external
iptables -A OUTPUT -j ACCEPT -o wlan0 -p udp --dport 53
iptables -A INPUT -j ACCEPT -i wlan0 -p udp --sport 53
#allow dhcp renewals on external
iptables -A OUTPUT -j ACCEPT -o wlan0 -p udp --sport 67:68 --dport 67:68
iptables -A INPUT -j ACCEPT -i wlan0 -p udp --sport 67:68 --dport 67:68
#allow all on internal
iptables -A INPUT -j ACCEPT -p all -s 127.0.0.0/24 -i lo
iptables -A OUTPUT -j ACCEPT -p all -d 127.0.0.0/24 -o lo
#block everything else
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
#show all rules
iptables -L -n -v
For even more security, edit the /etc/sysctl.conf file and un-comment applicable security options. It's self-documenting.
Reboot and wait a couple of minutes. You should be connected to your access point!
This site has been tested to display correctly using Epiphany on the Raspberry Pi