stephendotexe
Posts: 20
Joined: Sat Jun 01, 2013 11:20 pm
Contact: Website

Setting up a simple firewall for use in the DMZ

Fri Jun 14, 2013 7:52 pm

The full post can be found on my blog here: Setting Up a Firewall on the Raspberry Pi

You have two good options for protecting your raspberry pi with a software firewall. The first is the tried and true iptables. The second is much more easy to use and configure, and that's debian's "ufw" service. I'll show you how to firewall your Raspberry Pi with ufw.

Yes ufw is just a wrapper for iptables, but it's much easier to use for beginners.

Before we start messing around with firewall rules, I always like to leave myself a backdoor. We're going to continually open up port 22 to our local network. We'll open up a screen session and start a loop. When we're sure everything is good, we'll close our screen session.

Code: Select all

$ apt-get install -y screen
$ screen -S firewall
$ while true; do sudo ufw allow from 192.168.1.0/24; ufw enable --force-enable; sleep 60;done
 (disconnect from the screen session by type in "ctrl+a d")
Great, now we have a backdoor in case we lock ourselves out. Every 60 seconds our session will try to allow every address from 192.168.1.1-255 to access every port on the host. You'll only be locked out for up to a minute. Trust me you do not want to skip this step.

We can use ufw to add different ports. Here's my basic setup. You can copy and paste these commands into your terminal or place them into an script and execute them.

Code: Select all

# Allow port 22 to everyone in the world
sudo ufw allow 22

# Allow all ports on my local network
sudo ufw allow from 192.168.1.0/24

# Allow web ports to everyone
sudo ufw allow 80

sudo ufw --force enable
You can check the status:

Code: Select all

$ ufw status
Status: active

To                         Action      From
--                           ------      ----
Anywhere            ALLOW       192.168.0.0/24
Anywhere            ALLOW       192.168.1.0/24
80                         ALLOW       Anywhere
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere (v6)
22                         ALLOW       Anywhere (v6)
Now all of the Raspberry Pi's ports are exposed to our local network, but everything else can communicate with port 22 and 80. If you're done making changes to the firewall and are positive you're not locked out, then go ahead and kill the screen loop:

Code: Select all

$ screen -r
(ctrl + d once inside the session)
Now you've got every port locked down from the outside but 22 and 80. But your raspberry pi probably isn't yet expose to the public internet. For this to happen we're going to add our Raspberry Pi to the DMZ on our wireless router's firewall.

A firewall DMZ means that every port will be forwarded to this specific host by default. This will make our raspberry pi the first port of entry into our home network. You can connect to it anywhere, and even use your raspberry pi as an ssh tunnel.

You can usually find the dmz settings by logging into your router, which is typically found at 192.168.1.1 or 192.168.0.1.

Now you can run some external port scans and make sure the ports are actually open. You can use inCloak's tool. Since we opened up every port to our local network, we'll need to use an external port scanner.

And there you have it. Maybe if you get more paranoid you can give fail2ban a try. Good luck!

knightwolfjk
Posts: 2
Joined: Sun Sep 01, 2013 4:08 am

Re: Setting up a simple firewall for use in the DMZ

Sun Sep 01, 2013 4:11 am

No luck... What'd I miss?

Code: Select all

pi@raspberrypi ~ $ ufw
bash: ufw: command not found

ajmas
Posts: 31
Joined: Sat Mar 24, 2012 2:28 pm

Re: Setting up a simple firewall for use in the DMZ

Wed Oct 16, 2013 1:07 am

You need to install the ufw utility first, if you don't have it. If you are using apt-get then simply:

Code: Select all

sudo apt-get install ufw
One thing I would add in the above rules is the entry for the local IPv6 subnet:

Code: Select all

sudo ufw allow from fe80::/1

lenkf
Posts: 19
Joined: Wed Jul 10, 2013 10:02 pm
Location: S.California

Re: Setting up a simple firewall for use in the DMZ

Thu Oct 17, 2013 8:09 pm

UFW has worked out very nicely for my small need. I'm using a usb webcam on a v.2 rpi dedicated to viewing my outdoor aviary. I wanted to view the aviary not only from my home network but also on the internet away from home. The home router does the heavy lifting as the primary firewall. I didn't setup the rpi as the DMZ host, but simply allowed port forwarding of 8081 (the port used by Motion's video webserver) to the rpi's internal ip address.

I wanted to make sure that only port 8081 on the rpi was available to the internet so I installed and setup ufw to allow port 8081 from anywhere, and port 22 (ssh) from any node on my home network. Initially I ran ufw with "logging=medium" in order to get a feel for how ufw works. UFW keeps its own log in /var/log/ufw.log, but also drops the same info in /var/log/messages, and /var/log/syslog if I recall correctly (sheesh!). All the logs were getting huge quickly! I now run ufw with "logging=low" so only blocked connection attempts are logged (rare except when i'm playing with things).

I noticed you specifically allow both ip4 and ip6 connections to 8081, and I will add that change to my ufw rules. Thanks for the good writeup.

Fred

knightwolfjk
Posts: 2
Joined: Sun Sep 01, 2013 4:08 am

Re: Setting up a simple firewall for use in the DMZ

Fri Oct 18, 2013 1:11 am

ajmas wrote:You need to install the ufw utility first, if you don't have it. If you are using apt-get then simply:

Code: Select all

sudo apt-get install ufw
One thing I would add in the above rules is the entry for the local IPv6 subnet:

Code: Select all

sudo ufw allow from fe80::/1
I would only recommend this if you're truly using IPv6. Opening IPv6 before you're using it can allow for potential exploits.

Return to “Beginners”

Who is online

Users browsing this forum: Google [Bot], pageauc and 45 guests