Firewalling Raspbian

In a recent post, I discussed setting up an OpenVPN server on a Raspberry Pi. I relied on a nice tutorial from readwrite that you can find here. However, I found a discrepancy with the guide pertaining to its discussion of firewalls. The tutorial states that Raspbian has a firewall enabled by default. While iptables is certainly present by default (it’s part of the kernel), and it is often the basis for a very powerful firewall, it is not configured to be a firewall by default. Read on to learn how to enable a firewall on your Internet-facing Pi (including OpenVPN servers)!

What Is A Firewall?

A firewall protects your computer from unwanted network connections, which can be malicious. It is comprised of a list of rules that determine what your computer does with packets it receives from the network. Ideally these rules will allow connections to be made for the services you need to use and block everything else. For example, a firewall on a personal computer may block all incoming connections and allow all outgoing connections by default. This simple setup will work for most users. However, if you want to be able to connect to that computer remotely using ssh, you will need to tell the firewall to allow incoming connections on port 22, while continuing to block everything else. This is the process we will follow: close everything off and only open up what we need.

Installing A Firewall On Raspbian

On Linux, and therefore Raspbian, iptables, which is a packet filtering framework, is present as part of the kernel. The rules are somewhat arcane, and I am certainly no expert. Fortunately, I don’t have to be, because Uncomplicated Firewall (ufw) can leverage the power of iptables in a (more) user-friendly way. Let’s get it loaded.

First, let’s make sure our packages are up to date and install ufw:

sudo apt update           
sudo apt install ufw

If you want, you can run the following command to make sure that installed properly:

sudo ufw status

The current status should be disabled, and that is a good thing. We need to add some rules prior to enabling the firewall. If you are currently connected to your Pi via SSH, enabling the firewall at this point will kill the connection, and you won’t get it back. I repeat, do not enable the firewall yet!

Allowing Remote Connections

If you are not running any type of server on your Pi, are not accessing it remotely, but you are using the Pi to access the Internet, you can skip down to enabling the firewall. If you are accessing the Pi remotely (e.g., using ssh), you must add the following rule prior to enabling the firewall! Note that this rule specifically deals with ssh which uses port 22, if you use a different port for ssh or another protocol altogether, you will need to change the port number in the following command to the number you require.

I’m going to show you two ways to enable ssh access. The first way will allow you to ssh from anywhere, while the second will only allow ssh traffic from inside the network that the Pi is on. I’ll let you decide which you would prefer to use.

#option 1
sudo ufw allow ssh

#option 2
#replace 192.168.0.0/24 with the information for your network
sudo ufw allow from <192.168.0.0/24> to any port 22

OpenVPN Specific Rules

Next we need to add a few rules so that OpenVPN will work properly. The first is relatively straightforward, and it allows the Pi to accept traffic on port 1194 using the UDP protocol. If you remember from your setup this is the port and protocol used by OpenVPN to send/receive traffic from VPN clients.

sudo ufw allow 1194/udp

Our firewall defaults to dropping every packet that is trying to be forwarded through the Pi. We need to change that default to ACCEPT by editing /etc/default/ufw. To open the file for editing, you can use this command in the terminal:

sudo nano /etc/default/ufw

Now look for the line that says:

DEFAULT_FORWARD_POLICY="DROP"

and change it to:

DEFAULT_FORWARD_POLICY="ACCEPT"

NOTE: Making this change, technically violates our goal of closing everything, then only opening up what we need. Our PI will now accept packets for forwarding on any port by default, not just 1194, which is what we need. Making the above change is recommended in multiple tutorials that I have read and watched (e.g., Digital Ocean Tutorial). If anyone knows of a more specific rule, please let me know. I am working on figuring it out myself and will update the article, if I come up with something that works.

We also need to tell the firewall what to do with the packets it receives. This will require adding some rules to /etc/ufw/before.rules. Open the file in the terminal with this command:

sudo nano /etc/ufw/before.rules

Add the following lines to /etc/ufw/before.rules, after the first block of comments. Add everything below into the file, including the comments. Be sure to replace everything in angle brackets with the information for your specific setup (i.e., the numbers after the “-s” refer to the address block that the VPN clients will use, the “wlan0” after the “-o” is telling the firewall that I am using a wireless adapter on my Pi. If you are using wired ethernet with your Pi, change this to “eth0.” Finally, the numbers after the “–to-source” should be changed to match your Pi’s IP address.).

# NAT rules for OpenVPN
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s <10.8.0.0/24> -o wlan0 -j SNAT --to-source &lt;192.168.0.100>
COMMIT

Note that if you have not given your Pi a static IP, you should substitute the line above that begins “-A POSTROUTING” with the following:

-A POSTROUTING -s <10.8.0.0/24> -o wlan0 -j MASQUERADE

If You Are Using the ReadWrite Tutorial

If you are reading this article prior to (or concurrently with) the readwrite tutorial know that you can skip steps 11 and 12. If you have already completed that tutorial, but have taken the steps outlined in this article to create a firewall, you no longer need the /etc/firewall-openvpn-rules.sh file or the related change in /etc/network/interfaces, as the rule in that file is now located in /etc/ufw/before.rules!

To delete the rule file, use the following command:

sudo rm /etc/firewall-openvpn-rules.sh

Now open /etc/network/interfaces:

sudo nano /etc/network/interfaces

Delete the following line from the file:

pre-up /etc/firewall-openvpn-rules.sh

Be sure to save the changes you make to the file prior to closing it.

Start Me Up

You can now enable the firewall:

sudo ufw enable

If you want to learn more about how to configure ufw or iptables, the best place to start is their corresponding man pages. If you have any questions or comments, please leave them below!