Raspberry Pi: iptables (Security - Part II)
The firewall configuration, especially if you're a beginner in Linux, may seem tricky and difficult to understand. But once you've grasped the basics of commands, you can write your own script instead of using ready ones, which not always may be correct for your needs. If any of the commands I've provided here work, iptables might not be installed on your system. To install them, type:
sudo apt-get update && apt-get install iptables``sudo /etc/init.d/iptables start
The first command will install iptables, the second will enable them on your system.
- NOTE: Be extremely careful when configuring iptables, as you might block yourself from accessing your Pi!
- If, for any reason, you're unable to access your Pi through ssh or your website stopped working, connect your Pi to a monitor/TV or open your SD Card on a computer running Linux and re-edit the iptables rules in /etc/network/iptables.
To make a basic configuration of your iptables to allow yourself ssh access without the risk of being hacked you should:
1. Check your router's IP address, as we will be blocking any access from there apart from http and https ports (80 and 443 respectively):
sudo grep gateway /etc/network/interfaces
You will get something like this:
2. We will now set up iptables rules to allow external visitors to see our website without the ability to log into our Pi. First, we need to run:
sudo bash -c 'iptables-save > /etc/network/iptables'
This will write a file to
/etc/network/iptables which will initiate iptables on system boot.
3. Let's now setup the file so a reboot keeps the iptables configuration. To do so, we need to edit the
sudo nano /etc/network/interfaces
At the end of the file we'll add the following line:
pre-up iptables-restore ``This will tell our Pi to start iptables before network starts. Save the file with [Ctrl]+[X] > Y > [Enter] and move on.
4. Next we'll edit the
/etc/network/iptables file to set firewall rules
sudo nano /etc/network/iptables
Add the following lines to the file, changing the bold ones to be accurate with your network:
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT -A INPUT -s YOUR ROUTER IP/32 -i tcp -p tcp -m tcp --dport 22 -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT
Save the file with [Ctrl]+[X] > Y > [Enter]. Before we'll move on, few words of explanation:
- :INPUT DROP - don't accept any incoming network traffic unless a following rule overrides it.
- :FORWARD ACCEPT - accept any forwarding requests
- :OUTPUT ACCEPT - allow any outbound network traffic
- -A INPUT -i lo -j ACCEPT - allow any connections from the local host
- -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT - allow all traffic via port 80 (the port used for http)
- -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT - allow all traffic via port 443 (the port used for https)
- -A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT - allow all traffic from the internal network
- -A INPUT -s YOUR ROUTER ADDRESS/32 -i tcp -p tcp -m tcp --dport 22 -j DROP - block any traffic to port 22 (ssh) coming from your firewall
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - allow inbound access to any internally generated requests
- COMMIT - finally, commit the entries to the firewall
Now we need to load the rules into our iptables:
sudo iptables-restore /etc/network/iptables
You can check if it worked by typing:
This should show you the existing iptables rules. And if you want to see iptables in action, head to my Github for an example, chmod +x the file and run it on your Pi.
If you wish to open ssh(or any other) access from outside your local network, for example to admin your Pi from any location in the world, to enable ftp file transfer, install wordpress, or any other reason, it's a must to install fail2ban - an intrusion prevention daemon to ban unwanted visitors from peeking into your server. In the next part, I'm going to cover the use and configuration of fail2ban.