Post Reply
purg
Posts: 22
Joined: Fri Jun 08, 2012 8:07 pm

Secure RPi (my novice approach)

Fri Jun 15, 2012 1:53 pm

Ive loaded RPi with nginx, php & transmission so thought it was time to secure the box. Without prior admin knowledge of linux security, posting I hope will help myself and others in a similar situation.

Linux security seems to purely revolve around IPTABLES so googling helped find a few commands to start me off in the right direction which is worth reading imo.
https://help.ubuntu.com/community/IptablesHowTo

Trial and error (please correct me if anything is wrong) I build a script containing my firewall rules which allow unlimited local network access to SSH & WWW while blocking external access.

ssh = port 22
www = port 80

Home network is designed as follows
192.168.1.1 DSL modem router (linksys wag54gs)
192.168.1.60 static IP for RPi (below 100 I leave for static addressing)
192.168.1.100 - 200 DHCP used for laptop, desktop, phone etc

Code: Select all

        # default policy
        iptables -P INPUT   DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT  DROP

        # drop broadcast (do not log)
        iptables -A INPUT  -i eth0 -d 255.255.255.255 -j DROP
        iptables -A INPUT  -i eth0 -d 192.168.255.255 -j DROP
        iptables -A INPUT  -i eth0 -d 192.168.1.255   -j DROP

        # accept ssh / www connections from local ranges
        iptables -A INPUT -p tcp -m tcp --dport 22 -m iprange --src-range 192.168.1.10-192.168.1.200 -j ACCEPT
        iptables -A INPUT -p tcp -m tcp --dport 80 -m iprange --src-range 192.168.1.10-192.168.1.200 -j ACCEPT

        # accept everything from loopback
        iptables -A INPUT  -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        # accept ICMP packets (ping)
        iptables -A INPUT  -p icmp -m limit --limit 10/second -j ACCEPT
        iptables -A INPUT  -p icmp -j DROP

        # internet (established and out)
        iptables -A OUTPUT -o $int_if -j ACCEPT
        iptables -A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

        # accept ssh / www connections from local IP ranges
        iptables -A INPUT -p tcp -m tcp --dport 22 -m iprange --src-range 192.168.1.10-192.168.1.200 -j ACCEPT
        iptables -A INPUT -p tcp -m tcp --dport 80 -m iprange --src-range 192.168.1.10-192.168.1.200 -j ACCEPT

        # log all the rest before dropping
        iptables -A INPUT   -m limit --limit 6/min -j LOG --log-prefix "IN "
        iptables -A INPUT   -j REJECT --reject-with icmp-port-unreachable
        iptables -A OUTPUT  -m limit --limit 6/min -j LOG --log-prefix "OU "
        iptables -A OUTPUT  -j REJECT --reject-with icmp-port-unreachable
        iptables -A FORWARD -m limit --limit 6/min -j LOG --log-prefix "FW "
        iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable
IPTABLES doesnt keep the config between reboots so easy for testing. When happy with your config save the commands into a file you can run like any other init.d file. Alternative is looking into the iptables-save and iptables-restore commands which is on the ubuntu link above. Im currently trying to figure a way of starting the firewall rules much like boot.rc file on /boot but been unsuccessful so far.

the final step to my rules was updating /etc/init.d/transmission-daemon with iptable rules after the log_end_msg lines.

Code: Select all

start)
iptables -I INPUT -p tcp -m tcp --dport 51413 -j ACCEPT

stop)
iptables -D INPUT -p tcp -m tcp --dport 51413 -j ACCEPT

I know linux securty isnt anything new so keeping it simple for learning I would like to hear from others about securing the RPi.
User avatar
AndrewS
Posts: 3625
Joined: Sun Apr 22, 2012 4:50 pm
Location: Cambridge, UK
Contact: Website

Re: Secure RPi (my novice approach)

Fri Jun 15, 2012 3:23 pm

purg wrote:Home network is designed as follows
192.168.1.1 DSL modem router (linksys wag54gs)
192.168.1.60 static IP for RPi (below 100 I leave for static addressing)
192.168.1.100 - 200 DHCP used for laptop, desktop, phone etc
Unless you've explicitly set up port forwarding on your router from the internet to your RPi's IP address (or put the RPi in a DMZ), I don't believe any of this iptables stuff is necessary? :|
purg
Posts: 22
Joined: Fri Jun 08, 2012 8:07 pm

Re: Secure RPi (my novice approach)

Fri Jun 15, 2012 6:47 pm

I went down this route because of traffic on the network going between RPi and internet. My thoughts would always be to keep poking around until it breaks anyway. No harm adding security allowing the RPi to be exposed when required. For example changing key and default passords on the device etc.
User avatar
AndrewS
Posts: 3625
Joined: Sun Apr 22, 2012 4:50 pm
Location: Cambridge, UK
Contact: Website

Re: Secure RPi (my novice approach)

Sat Jun 16, 2012 8:23 am

There's also some security tips in this thread http://www.raspberrypi.org/phpBB3/viewt ... =63&t=7148
Post Reply

Return to “General discussion”