How easy it is to configure firewall with FERM
When you operate the Raspberry Pi website or other applications it is always good to have an overview of the communication network and seeded firewall. For those who are completely unfamiliar with iptables parameters will find it quite difficult to put into operation a decent firewall. Just for this purpose exists [FERM Firewall] (http://ferm.foo-projects.org/). It is a complex wrapper which greatly simplifies the syntax of writing rules. In this example we will demonstrate how the Ferm easily configures a fully functional firewall for your web server and ssh to Raspbianu.
1. Update/upgrade.
root@raspberrypi:~# apt-get update && apt-get -y upgrade
2. Package installation FERM firewall a conntrack
root@raspberrypi:~# apt-get install ferm conntrack Enable ferm on bootup: Yes
3. I recommend to change the default SSH port 22 on the other, in our sample, it will change the 63222. The best solution is to choose the number unregistered port range (49152-65535).
Port 22 is one of the most affected ports !!!
root@raspberrypi:~# nano /etc/ssh/sshd_config
... # What ports, IPs and protocols we listen for Port 63222 #default 22 ...
root@raspberrypi:~# service ssh restart [ ok ] Restarting OpenBSD Secure Shell server: sshd.
!!! After you reboot ssh close the current console!! First open a new test connectivity to the server with the new port !
4. Firewall configuration.
root@raspberrypi:~# nano /etc/ferm/ferm.conf
# -*- shell-script -*-
#
# Example for ssh(63222), http, https and IPv6
#
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# snmp - if you need for monitoring as CACTI, ICINGA, ...
proto udp dport snmp ACCEPT;
# allow tcp SSH, FTP, HTTP, HTTPS, ...
proto tcp dport (63222 http https) ACCEPT;
}
# outgoing connections are not limited
chain OUTPUT {
policy ACCEPT;
}
# only for a router
chain FORWARD {
policy DROP;
}
}
# IPv6 rules
#domain ip6 table filter {
# chain INPUT {
# policy DROP;
# connection tracking
# mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
# interface lo ACCEPT;
# allow ICMP (for neighbor solicitation, like ARP for IPv4)
# proto ipv6-icmp ACCEPT;
# allow tcp connections
# proto tcp dport (http https) ACCEPT;
# }
# outgoing connections are not limited
# chain OUTPUT policy ACCEPT;
# only for a router
# chain FORWARD policy DROP;
#}Advertisement:
root@raspberrypi:~# service ferm restart [ ok ] Reloading Firewall configuration....
5. List the rules in iptables and curiosity also ongoing connection
root@raspberrypi:~# iptables -nvL
Chain INPUT (policy DROP 43 packets, 5669 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
27 1772 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:63222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 2164 bytes)
pkts bytes target prot opt in out source destinationlisting of current connection
root@raspberrypi:~# conntrack -L tcp 6 299 ESTABLISHED src=192.168.252.119 dst=192.168.252.120 sport=51374 dport=63222 src=192.168.252.120 dst=192.168.252.119 sport=63222 dport=51374 [ASSURED] mark=0 use=1 tcp 6 431957 ESTABLISHED src=192.168.252.120 dst=192.168.252.119 sport=22 dport=50941 src=192.168.252.119 dst=192.168.252.120 sport=50941 dport=22 [ASSURED] mark=0 use=1 conntrack v1.2.1 (conntrack-tools): 2 flow entries have been shown.