How easy it is to configure firewall with FERM

When you operate the Raspberry Pi website or other applications it is always good to have an overview of the communication network and seeded firewall. For those who are completely unfamiliar with iptables parameters will find it quite difficult to put into operation a decent firewall. Just for this purpose exists [FERM Firewall] (http://ferm.foo-projects.org/). It is a complex wrapper which greatly simplifies the syntax of writing rules. In this example we will demonstrate how the Ferm easily configures a fully functional firewall for your web server and ssh to Raspbianu.

1. Update/upgrade.

root@raspberrypi:~# apt-get update && apt-get -y upgrade

2. Package installation FERM firewall a conntrack

root@raspberrypi:~# apt-get install ferm conntrack
Enable ferm on bootup: Yes

3. I recommend to change the default SSH port 22 on the other, in our sample, it will change the 63222. The best solution is to choose the number unregistered port range (49152-65535).

Port 22 is one of the most affected ports !!!

root@raspberrypi:~# nano /etc/ssh/sshd_config
...
# What ports, IPs and protocols we listen for
Port 63222    #default 22
...
root@raspberrypi:~# service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

!!! After you reboot ssh close the current console!! First open a new test connectivity to the server with the new port !

4. Firewall configuration.

root@raspberrypi:~# nano /etc/ferm/ferm.conf
# -*- shell-script -*-
#
#  Example for ssh(63222), http, https and IPv6
#
 
table filter {
    chain INPUT {
        policy DROP;
 
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
 
        # allow local packet
        interface lo ACCEPT;
 
        # respond to ping
        proto icmp ACCEPT;
 
        # snmp - if you need for monitoring as CACTI, ICINGA, ...
        proto udp dport snmp ACCEPT;
 
        # allow tcp SSH, FTP, HTTP, HTTPS, ...
        proto tcp dport (63222 http https) ACCEPT;
    }
 
    # outgoing connections are not limited
    chain OUTPUT {
        policy ACCEPT;
    }
 
    # only for a router
    chain FORWARD {
        policy DROP;
    }
}
 
# IPv6 rules
#domain ip6 table filter {
#    chain INPUT {
#        policy DROP;
 
        # connection tracking
#        mod state state INVALID DROP;
#        mod state state (ESTABLISHED RELATED) ACCEPT;
 
        # allow local connections
#        interface lo ACCEPT;
 
        # allow ICMP (for neighbor solicitation, like ARP for IPv4)
#        proto ipv6-icmp ACCEPT;
 
        # allow tcp connections
#        proto tcp dport (http https) ACCEPT;
 
#    }
 
    # outgoing connections are not limited
#    chain OUTPUT policy ACCEPT;
 
    # only for a router
#    chain FORWARD policy DROP;
#}

Advertisement:

Do you need more power than RPi?

root@raspberrypi:~# service ferm restart
[ ok ] Reloading Firewall configuration....

5. List the rules in iptables and curiosity also ongoing connection

root@raspberrypi:~# iptables -nvL
Chain INPUT (policy DROP 43 packets, 5669 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
   27  1772 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63222
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 23 packets, 2164 bytes)
 pkts bytes target     prot opt in     out     source               destination

listing of current connection

root@raspberrypi:~# conntrack -L
tcp      6 299 ESTABLISHED src=192.168.252.119 dst=192.168.252.120 sport=51374 dport=63222 src=192.168.252.120 dst=192.168.252.119 sport=63222 dport=51374 [ASSURED] mark=0 use=1
tcp      6 431957 ESTABLISHED src=192.168.252.120 dst=192.168.252.119 sport=22 dport=50941 src=192.168.252.119 dst=192.168.252.120 sport=50941 dport=22 [ASSURED] mark=0 use=1
conntrack v1.2.1 (conntrack-tools): 2 flow entries have been shown.

6. Enjoy!

Of course, the imagination has no limits and on the Internet you can find more configuration examples Ferm. This page is used as an example of a basic functional firewall on Raspberry Pi with Raspbianem for your website. In the Ferm you can of course create more complex structures, define variables, use the port names from /etc/services as well as in the example or directly numbers of ports, etc.

Recourses: FERM Projects, Sigterm, Debian Wiki