7) Set up a Firewall

<-- Previous    Next –>

We need to set up Firewall rules to block unwanted traffic to the Raspberry Pi.

iptables is the controller for netfilter and iptables is included in the Raspberry Pi distribution.

There are a number of configuration systems that you can use to more easily work with iptables, however, we are not going to create many rules so we can create a rule set and then import the rule set into iptables. The rules that we describe are specifically for a web server and your requirement may be different to this example.

You can display the current rules using the following commands:

IPv4:

sudo iptables -L

IPv6:

sudo ip6tables -L

iptables has no rules by default for both IPv4 and IPv6 and so initially you will see the following without any firewall rules. This means that all incoming, forwarded and outgoing traffic is allowed. We need to limit the inbound and forwarded traffic to only what is necessary.

Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Creating a set of Firewall rules

As an example, the following creates a set of rules for IPV4 and IPV6. The examples are a basic rule set which may need changing depending on your particular system requirements.

Create a new file in the tmp folder which I have called V4:

sudo nano /tmp/v4

 

*filter# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state –state NEW –icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
-A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
#-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables_INPUT_denied: ” –log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic which was sent to you
# for forwarding (optional but useful).
#-A FORWARD -m limit –limit 5/min -j LOG –log-prefix “iptables_FORWARD_denied: ” –log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

 

Create a new file in the tmp folder which I have called V6:

sudo nano /tmp/v6

 

*filter# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT -p icmpv6 -m state –state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
-A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “ip6tables_INPUT_denied: ” –log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit –limit 5/min -j LOG –log-prefix “ip6tables_FORWARD_denied: ” –log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

 

Load the iptable rules

To load the iptable we use the commands:

sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6

We need a way to ensure that the iptable rules are available after a re-boot so we have to install iptables-persistent using:

sudo apt-get install iptables-persistent

You’ll be asked if you want to save the current IPv4 and IPv6 rules. Answer yes to each prompt.

You can remove the temporary v4 and v6 files if you wish.

We can recheck the firewall rules using:

sudo iptables -vL
sudo ip6tables -vL

This is the basic firewall rules set up. However, you may have to edit these rules if your installation changes to a file server for example.

<-- Previous    Next –>