Not even Raspberry Pi is safe from cyberattacks. This can be attributed to the fact that the tech community is finding innovative ways to use Raspberry Pi devices. There are instances where tech-savvy people started to host their blogs on Raspberry Pi. While this is a great sign to know that a lot can be done with a simple device, there are risks associated with it. Raspberry Pi can be an effective, almost no cost firewall for your network.
There are a few advantages in setting up a Raspberry Pi firewall. Some of them are:
- Get complete control of the network traffic
- Filter out unwanted connections
- Protect your network and devices from threats
In this guide, we will take you through some easy steps to set up the Raspberry Pi firewall.
Why Should You Use Raspberry Pi as Firewall?
Here are some of the advantages of using a Raspberry Pi device as firewall:
- Low cost: Raspberry Pi devices are cheap. With the low cost, the Pi is cost-effective for home and small-scale setup.
- Less resource consumption: Raspberry Pi consumes very little electricity. This makes it an energy-efficient option.
- Wide range of use: Pi supports a variety of firewall software. It can support major operators like the Pi-hole, OpenWrt, and iptables.
- Complete control and customization: A firewall setup built from scratch (like the one we are about to do now) provides more customization and control than the ones available for sale.
What do We Need to Start
Before we start setting up our Raspberry Pi firewall, make sure you have these ready:
- A Raspberry Pi device (isn’t this a little obvious?)
- Raspberry Pi OS installed on the device (for network projects, we recommend the Lite version)
- Couple of NICs (network interfaces). A wired ethernet connection and an USB ethernet or Wi-Fi adapter. One NIC will connect to the network and another connects to the devices we are going to protect.
- Basic Linux operation knowledge to help with configuration and network settings (Unixmen is a good place to start)
Step 1: Getting the Raspberry Pi OS Installed
In most cases, the Raspberry Pi device does not come with the OS pre-installed. We recommend downloading and installing the latest version of the OS from the official Raspberry Pi website.
If you are not comfortable installing the latest version, any version above 3 is sufficient.
How to Update the Raspberry Pi device
Execute this command to update the Pi to the latest security patches. This is important for proper firewall functionality.
sudo apt update && sudo apt upgrade -y
How to Configure the NICs
For the firewall to be operational, we have to configure the Pi with two NICs. One is the External interface (WAN) that connects to the router and subsequently the internet. The second is the Internal interface (LAN), which connects to your local network.
First step is to see the list of all available network interfaces. To do this, run the command:
ip a
Let’s say the interface names of ethernet is eth0 and the Wi-Fi adapter is wlan.
How to Assign Static IP Addresses
To keep the setup simple, let us configure static IPs. To do this, we have to edit the dhcpcd.conf file, usually placed in etc. The configuration file has to be edited to set static addresses for both interfaces. Run the following command to view the dhcpcd.conf file:
sudo nano /etc/dhcpcd.conf
Now let us configure the external and internal NICs with different IP ranges. Here is an example:
# External Interface (eth0) interface eth0 static ip_address=192.168.1.2/24 static routers=192.168.1.1 static domain_name_servers=192.168.1.1 # Internal Interface (wlan0) interface wlan static ip_address=192.168.2.1/24
Restarting the Network Service
Now that the configuration has been edited, restart the network service to apply the changes. Run the command:
sudo systemctl restart dhcpcd
How to Enable IP Forwarding
To route network traffic between the NICs, enable IP forwarding. Here is how you can do that. The first step is to edit the sysctl.conf file. Run this command to edit the sysctl.conf file:
sudo nano /etc/sysctl.conf
In the configuration file, the following line will be marked as a comment. Uncomment the line:
net.ipv4.ip_forward=1
Apply the changes by running the command:
sudo sysctl -p
How to Set Up iptables for Firewall Rules
The tool iptables is for network filtering. This is ideal for our Raspberry Pi firewall setup. If iptables is not already installed, install it by running the command:
sudo apt install iptables -y
Next step is to define the basic firewall rules. Let us write a new script to configure rules. Open a new script by executing the command:
sudo nano /etc/iptables/firewall.sh
Let us give you some basic rules. Please note that this is just a guide and not a rulebook. Feel free to tweak it to your requirements.
# This section removes the existing rules iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # This section sets default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # This command gives loopback access iptables -A INPUT -i lo -j ACCEPT # These commands allow established and related connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # These command allow LAN connections iptables -A INPUT -i wlan0 -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # This command is to allow internet access iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Save and apply the script by running the command:
sudo chmod +x /etc/iptables/firewall.sh sudo /etc/iptables/firewall.sh
Next is to persist iptables rules. Save the rules on reboot by running the following command that uses the iptables-persistent package:
sudo apt install iptables-persistent sudo netfilter-persistent save
Wrapping Up
We have just covered the setting up of the Raspberry Pi firewall. For optimal operation of the Pi firewall, you can use adblockers and tracker removers like Pi-hole. To monitor the availability and performance of the Pi device, you have to enable rsyslog and a monitoring tool. Let us know how it went.
