Raspberry Pi – build your own DMZ

If you are using a computer, you should always think about security! Linux systems are quite secure instead of Windows System, which are more in danger about viruses. Security is a topic that you should consider, because no system is 100 percent save. Systems with a always up internet connection (file server, mail server, web server, …) are in danger of attacks. For this it is a good idea to build a de militarized zone, which is between your internal network and the router to the internet. There you will connect your servers and you should install 1 or 2 firewalls to allow or deny certain connections.

Planning

For your Raspberry Pi this means the following. We want to reduce traffic, so that only port 80 and 442 communicate. If your Raspberry Pi is used as web server that can reached from outside over HTTP and HTTPS. If you need to connect through SSH to your Pi from outside, we also have to give permissions to port 22. A better idea would be to change the SSH port to something you only know (for example 22356 or so).

Configuration

If you want to get control of your network traffic, we need to use iptables. For this we need to do the following. The first thing is to get the current version of CA (certifivate authorities):

sudo apt-get install ca-certificates

Next, we need to get the IP address of our router and to find out how our Raspberry Pi communicates with it. This can be done with one simple command:

ifconfig

You will see, that your Raspberry Pi uses wlan0 or eth0. So we use ether a WLAN stick or an ethernet cable. With this in mind we can create rules for our iptable:

sudo bash -c 'iptables-save > /etc/network/iptables'

We also have to create a new line in our network interfaces configuration file, so that all settings are use also after a reboot:

sudo nano /etc/network/interfaces

At the end of the file we add following line:

pre-up iptables-restore < /etc/network/iptables

Now it is time to set the rules for our firewall:

sudo nano /etc/network/iptables

A possible configuration for the example I described above would be:

*filter
:INPUT DROP [23:2584]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1161:105847]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.1/32 -i tcp -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

As you can see, my Raspberry Pi connected with an ethernet cable to the router (eth0). This configuration only allows HTTP and HTTPS connections. If you are connected to SSH with your Raspberry Pi over your router, this will not be possible any more. If you need SSH, this configuration would be better:

*filter
:INPUT DROP [7:2625]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1727:207707]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Here I use my WLAN connection, so please consider that you have to change the configuration to fits your network. The following things need to be changed:

• wlan0 or lan0
• IP addresses of own network. 192.168.1.1 is my router.

The last step is to upload our configuration to the firewall:

sudo iptables-restore /etc/network/iptables

With the following command you can test your firewall settings:

sudo iptables-save

You should get the actual configuration of your firewall.

Problems

If you are connected to your Raspberry Pi over SSH you may lock yourself out of your own system. If this happens, you need to plug in keyboard and screen to your Pi and change the firewall manually.