Are you looking for a way to create a Raspberry Pi Firewall for a longer time? If you cannot perform it using OpenWRT and Pfsense, this blog is definitely for you.
The Raspberry Pi features a single ethernet socket, which is why creating a genuine Firewall on Raspberry Pi is impossible. However, one can produce a router having Firewall capabilities.
To perform this task, you require installing some software blocks on Pi. Before we dive into details, let’s discuss some basic things!
What is a Router Firewall?
To understand this, you should know what a router and Firewall mean. A router refers to a network gadget that adjoins two networks with one another. If your computer features two or more ethernet ports with diverse networks, it can behave like a router.
Then, you will have two networks sharing a connection to a router, 2.0 and 1.0. If there’s a well-configured router, then it enables X and Y to view each other whereas working on a diverse network.
Raspberry Pi features a single ethernet card. However, users can employ a WiFi card to create another network. Here, you will learn how you can connect a WiFi network to an ethernet network.
On the other hand, Firewall refers to a kind of software. This software enables users to insert security policies into the router. As stated in the above example, we mentioned that X could ping Y but could not access its HTTP server.
Here, we will use “iptables” software for this. Depending on your preference, you can go with other software when it comes to Firewalls.
For creating wireless access and other software for monitoring the network, users must follow some instructions. Using this, you can even filter some traffic. So, if you like to do this, then keep on following.
Here is my current network:
And I want to turn it like this:
- Install Raspberry Pi Firewall on your network
- Allow WiFi access points using a diverse network subnet
- Build a bridge between two networks
- Set some Firewall rules and regulations
- Install other software
Here, we will discuss these steps in detail one by one. So, let’s begin with this procedure’s first step.
Install Raspberry Pi Firewall
Initially, you have to install the Raspberry Pi Firewall on your network. For this, follow:
- Install Raspbian
- No requirement for the desktop model, except if users like to employ Raspbian for other tasks
- Plugin Raspberry Pi using an RJ45 cable on the network.
- It is not compulsory to use static IP addresses, but it could help.
- After this, update the system using: sudo apt update, sudo apt upgrade, and sudo reboot.
- Allow SSH by navigating to raspi-config, then Interfacing options, and then sudo raspi-config.
That’s it, and it is time to install the router. So, let’s know how to perform router installation.
Install Wireless Router
It is quite possible to configure the Raspberry Pi Firewall manually as a WiFi router. However, it is a bit time-consuming and complex. To make it easier for you, we are presenting you with a script for the same.
- This script is available on GitHub. Firstly, you require installing git to download this program. For instance, sudo apt install git
- Switch to a new folder for downloading this program,
cd/opt
git clone https://github.com/unixabg/RPI-Wireless-Hotspot/git
- Switch to the subdirectory, which is cd RPI-Wireless-Hotspot/
- Begin the installation process by sudo./install
Now, the script asks a few questions. Once you have answered them, Raspberry Pi reboots for applying the changes. After completing this process, you can employ the Raspberry Pi Firewall as a router. In the network list of WiFi, you will see the apt SSID. After connecting to the server, check everything is functioning fine or not. So, there’s nothing more to the configuration of the network.
Firewall Theory
The firewall’s main role is to allow or block access from a particular IP address to another. Most of the time, we often employ a port for setting precise permission.
In Firewall configurations, there are two basic rules: the Blacklist that follows the rule ‘Allow all except…‘ and Whitelist that follows the rule ‘Deny all except…‘
So, choose the one according to what you like to perform with the Raspberry Pi router.
If at home, it is best to go with the first one, where you can block several things, such as particular IP addresses. At work, go with the other one, where you can prohibit everything except what’s permitted.
In, Out, and Forward
It is an easier program where one can create several rules in just three directions. These three directions are:
- Input: Packets of the network that comes into your Firewall
- Output: Packets that go out from your Firewall
- Forward: Packets that go through your Firewall
When using a hosted web server, one can block everything in input, excluding HTTPS and HTTP. However, in output, it does not matter what the server does on the internet.
Here, we will use Forward rules as there’s not much on Raspberry Pi Firewall. Thus, there’s no point in protecting it.
Raspberry Pi Firewall Configuration
Users who like can add a Firewall to their router for filtering the traffic. If working at home, it is not quite significant. However, it is mandatory for a public area or company.
IPTables
For Raspbian, various Firewall packages are present, such as UFW or IPTables. OpenWRT is also there, which is the Raspberry Pi distribution for creating a Firewall. IPTables is installed on the Raspberry Pi.
Examine the Present Configuration
Prior to adding rules, it is better to examine the present configuration. To do so, employ the command ‘sudo iptables – L.’
The GitHub script adds basic rules into the Forward section for enabling forwarding. One can employ this command to check if the rules that you have added recently correspond to your preferences.
Insert the Forward Rule
Each network is diverse, and thus, every Raspberry Pi Firewall table of rules is diverse too. Here’s an entire syntax for adding particular rules in an environment.
- Reset the IPTables configuration
For this, add sudo iptables – F. The order is significant, where the router accepts everything. Thus, we are unable to block particular connections.
- Add the DROP rule
Use the command iptables – A FORWARD – p tcp – dport 80 – j DROP. The command explains that:
(-A) for adding a new rule
(FORWARD) for use in the forward part
(-p tcp) for using the tcp protocol
(-dport 80) for using the HTTP port
(DROP) for dropping everything, which is a timeout connection.
Now, check if the connection is working. To do this, make a connection with the WiFi router. To remove a rule, users need to employ IPTables -F. Or use a similar command having a -D operator in place of -A.
Iptables -D FORWARD -p tcp –dport 80 -j DROP
This command allows users to remove a particular rule and, therefore, not all the rules as the case with -F.
Iptables Command Syntax
One can use similar command templates to create the Raspberry Pi Firewall rules. To perform this action, follow the template:
Iptables -<operation> <direction> -p <protocol> – -dport <port> -j <action>
Operations:
- -F: remove, and flush all rules that require no parameters
- -A: add, and append a new rule
- -D: remove, delete a current rule
Directions:
FORWARD, OUTPUT, or INPUT
Protocols:
Mainly udp or tcp
Port:
The number of ports that you like to build the rule.
Action:
Make a choice for making the conforming traffic. ACCEPT allows access in the whitelist mode. REJECT denies access and tells senders what’s not permitted. DROP denies access; however, it does not tell senders.
Switch to Whitelist
Users who are being in a strict environment then shift to whitelist mode. To perform this action, they have to produce a line of ports. The easiest method to produce a script is to run all the commands at one time.
For this, you can download a DNS forwarder on Raspberry Pi. Next, employ the same for answering DNS requests.
- Download Bind (DNS server package)
sudo apt install bind9
- Backup the configuration
sudo mv /etc/bind/named.conf.options/etc/bind/named.conf.options
Now, paste the lines as:
Acl “localnetwork” {127.0.0.1/32; 192.168.42.0/24;};
options {directory “/var/cache/bind”;
forwarders {208.67.222.222;};
allow-query {localnetwork;};
dnssec – validation auto;
auth-nxdomain no;
listen-on-v6 {any;};
};
It is a typical configuration. One can use OpenDNS for sending DNS queries received on Raspberry Pi to it.
- Save and Exit (CTRL+O, CTRL+X)
- Restart Bind by following sudo service bind9 restart
- Edit DNS Servers present in the DHCP, sudo nano/etc/udhcpd.conf
- Change the line, opt dns 208.67.222.222.208.67.220.220
- Restart DHCP Server by sudo service udhcp restart
Now, reconnect the device and see if everything is running fine.
Build the Raspberry Pi Firewall Script
- Make a file having nano
Nano / usr/local/bin/firewall.sh
- Paste the lines as:
#!/bin/sh
#Clear all rules
Iptables -F
#Whitelist mode
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Allow PING for everyone
iptables -A FORWARD -p icmp -j ACCEPT
#Allow HTTP/HTTPS for WiFi clients
iptables -A FORWARD -p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -p tcp –dport 443 -j ACCEPT
#Allow POP/IMAP/SMTP for WiFi clients
iptables -A FORWARD -p tcp –dport 25 -j ACCEPT
iptables -A FORWARD -p tcp –dport 110 -j ACCEPT
iptables -A FORWARD -p tcp –dport 993 -j ACCEPT
#Allow PING for WiFi clients
iptables -A FORWARD -p icmp -j ACCEPT
Users can make amendments to this command as per their preference. Now, you can add executive right to it by “sudo chmod +x firewall.sh” and now, run it by “sudo /usr/local/bin/firewall.sh“. If something is not right, you can reboot the Raspberry Pi Firewall to recover all access.
Make a persistent configuration
The script employs the command “file/etc/iptables.ipv4.nat” for saving the configuration. If it is working, then save the present configuration inside as:
sudo iptables – save>/etc/iptables/ipv4.nat
By doing so, this will upload the file and will apply the changes directly.
Network Monitoring
If the Raspberry Pi Firewall works fine, you can add some packages for improving the Raspbian capabilities. To add a web interface, you can monitor what occurs on the network.
For this, you can use Webmin, which is a web interface. Download the recent version and route the setup. Now, set a passcode and select if you like to employ SSL.
Websites and Proxy Filter
Here, we are installing Squid as the proxy as well as SquidGuard as the filter for the Raspberry Pi Firewall.
For installing Squid, follow “sudo apt install squid” and back up the file with “cd/ etc/ squid sudo mv squid.conf squid.conf.old“. Now, switch to the user and eliminate all comments with “sudo su
Cat squid.conf.old | egrep -v -e ‘^[[:blank:]]*#|^“.
You have to add the lines at the opening as:
acl LocalNet src 192.168.42.0/24
http access allow LocalNet
Now, restart Squid to apply changes with “sudo systemct1 restart squid“.
After the configuration of Squid, there are two choices; first, to employ the Raspberry Pi Firewall as HTTP Proxy by configuring the web browser. The other one is to redirect all the HTTP traffic automatically to Squid.
Installation of SquidGuard
It is time to install SquidGuard by “sudo apt install squidguard.” Download the website list by category and extract the archive files. When extracting, users can view blacklist categories on the screen.
Select one and employ the same for the configuration of SquidGuard. Shift files to this folder and archive the SquidGuard configuration. Next, build a configuration file and paste the following lines:
Dbhome /var/lib/squidguard/db logdir /var/log/squidguard dest
violence {
domainlist blacklists/violence/domains
urllist blacklists/violence/urls
log violenceaccess
}
ac1 {
default
{
Pass !violence
redirect http://localhost/block.html
}
}
Make changes if you want any and then save and depart (CTRL + O, CTRL + X). Now, create the database and restart Squid to apply changes by following the “sudo service squid restart.”
Now, try accessing the URLs from the domain’s list and examine if SquidGuard has blocked you or not.
In addition, are you troubled with the yellow light on your Verizon router? If so, then this article will introduce you to 7 easy ways to fix it. So, read on.
Conclusion
Employing a Raspberry Pi firewall can significantly enhance the security of your network. By following the steps outlined in this article, you can set up a Raspberry Pi firewall and safeguard your network from potential cyber threats. Take the necessary precautions, keep your firewall up-to-date, and stay vigilant to ensure the ongoing protection of your network.
FAQs
- Can I use any model of Raspberry Pi for setting up a firewall? Yes, you can use various models of Raspberry Pi, but make sure to consider the processing power and memory requirements based on your firewall’s expected workload.
- What other security measures should I implement alongside a Raspberry Pi firewall? Alongside a Raspberry Pi firewall, consider implementing strong passwords, regular system updates, and user authentication protocols to further strengthen your network security.
- Can I manage the Raspberry Pi firewall remotely? Yes, you can manage the Raspberry Pi firewall remotely using tools like SSH or web-based administration interfaces.
- Is Raspberry Pi firewall suitable for enterprise-level networks? While Raspberry Pi firewalls can be used in small to medium-sized networks, they may not provide the necessary performance and scalability for large enterprise-level networks.
- What should I do if I forget the firewall rules I configured? If you forget the firewall rules you configured, you can reset the firewall settings to default and start fresh with the desired rules.
