The Unwritten Words :: Linux Newbie
My Stack :: Archives

Raspberry Pi: iptables (Security – Part II)

Iptables

The firewall configuration, especially if you’re a beginner in Linux, may seem tricky and difficult to understand. But once you’ve grasped the basics of commands, you can write your own script instead of using ready ones, which not always may be correct for your needs. If any of the commands I’ve provided here work, iptables might not be installed on your system. To install them, type:

sudo apt-get update && apt-get install iptables

sudo /etc/init.d/iptables start

The first command will install iptables, the second will enable them on your system.

NOTE: Be extremely careful when configuring iptables, as you might block yourself from accessing your Pi! 

If, for any reason, you’re unable to access your Pi through ssh or your website stopped working, connect your Pi to a monitor/TV or open your SD Card on a computer running Linux and re-edit the iptables rules in /etc/network/iptables.

I’ve covered the iptables in general here, but I’ve abandoned sshblack and made use of a better and more flexible tool - fail2ban.

The Tables

To make a basic configuration of your iptables to allow yourself ssh access without the risk of being hacked you should:

1. Check your router’s IP address, as we will be blocking any access from there apart from http and https ports (80 and 443 respectively):

sudo grep gateway /etc/network/interfaces

You will get something like this:

gateway 192.168.1.1

2. We will now set up iptables rules to allow external visitors to see our website without the  ability to log into our Pi. First, we need to run:

sudo bash -c 'iptables-save > /etc/network/iptables'

This will write a file to /etc/network/iptables which will initiate iptables on system boot.

3. Let’s now setup the file so a reboot keeps the iptables configuration. To do so, we need to edit the /etc/network/interfaces file:

sudo nano /etc/network/interfaces

At the end of the file we’ll add the following line:

pre-up iptables-restore < /etc/network/iptables

This will tell our Pi to start iptables before network starts. Save the file with [Ctrl]+[X] > Y > [Enter] and move on.

4. Next we’ll edit the /etc/network/iptables file to set firewall  rules

sudo nano /etc/network/iptables

Add the following lines to the file, changing the bold ones to be accurate with your network:

*filter
:INPUT DROP [23:2584]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1161:105847]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT
-A INPUT -s YOUR ROUTER IP/32 -i tcp -p tcp -m tcp --dport 22 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Save the file with [Ctrl]+[X] > Y > [Enter]. Before we’ll move on, few words of explanation:

:INPUT DROP 
- don’t accept any incoming network traffic unless a following rule overrides it.
:FORWARD ACCEPT 
- accept any forwarding requests
:OUTPUT ACCEPT 
- allow any outbound network traffic
-A INPUT -i lo -j ACCEPT 
- allow any connections from the local host
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT 
- allow all traffic via port 80 (the port used for http)
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -j ACCEPT 
- allow all traffic via port 443 (the port used for https)
-A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT 
- allow all traffic from the internal network
-A INPUT -s YOUR ROUTER ADDRESS/32 -i tcp -p tcp -m tcp –dport 22 -j DROP 
- block any traffic to port 22 (ssh) coming from your firewall
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT 
- allow inbound access to any internally generated requests
COMMIT
- finally, commit the entries to the firewall

Now we need to load the rules  into our iptables:

sudo iptables-restore /etc/network/iptables

You can check if it worked by typing:

sudo iptables-save

This should show you the existing iptables rules. And if you want to see iptables in action, head to my Github for an example, chmod +x the file and run it on your Pi.

If you wish to open ssh(or any other) access from outside your local network, for example to admin your Pi from any location in the world, to enable ftp file transfer, install wordpress, or any other reason, it’s a must to install fail2ban – an intrusion prevention daemon to ban unwanted visitors from peeking into your server. In the next part, I’m going to cover the use and configuration of fail2ban.



JOIN 7+ BILLION FABULOUS READERS: rss | email | twitter | +

Powered by Debian :: My Stack