Firewall your home network with a Raspberry Pi

No readers like this yet.
bees network

Opensource.com

Although the Raspberry Pi 3 was recently announced, the Raspberry Pi 2 still has plenty of life and is more than suitable for many interesting and useful tasks.

I have a few Raspberry Pis sitting around that I've been exploring for other interesting projects, one of which is the possibility of replacing a very old single-core 64-bit Intel rackmount server that I use for the primary firewall and router on the edge of my network. But before I disrupt the main firewall and gateway for my network, I wanted to test the Pi a bit and see just what it would take to make this happen.

Replacing a tower

I also have a dual-core Intel tower that I use as a firewall and side door to my network. This computer is extreme overkill for that task, and I can definitely use it in a more appropriate role. Because this computer provides non-critical access to my network, I decided to replace it with a Raspberry Pi 2 Model B as a test.

Power supply

I used Raspberry Pi 2 Model B, but a Raspberry Pi 3 should also work. I powered the Pi from a spare Kindle 5V 1.8A USB power block on a standard household extension cord that I plugged into a UPS to provide consistent power. I used a very short USB to micro-USB cable from the power block to the power connector on the Pi.

KVM switch

I have several of my infrastructure hosts connected to a 16-port KVM switch with VGA and PS/2 inputs. I wanted to use the KVM for the Pi as well. I connected the keyboard and mouse input of the KVM to the Pi with a USB to PS/2 adapter cable. The USB end plugs into the Pi and the connectors from the KVM switch cable plug into the PS/2 connectors on the adapter. I have found in the past that some brands of the USB to PS/2 adapter don't work well.

For the video connection I initially used an HDMI to VGA adapter that is a single, solid unit. This device produced a lot of heat, much of which was transmitted into the Pi through the HDMI connector. I later substituted the single unit for an adapter that has a short length of cable between the HDMI connector and the VGA converter, plus a connector unit that produces and transmits significantly less heat.

Installing CentOS

I use CentOS on my other infrastructure servers, so I wanted to use it on the Pi too. Using my main Linux workstation, I downloaded CentOS Userland 7 32-bit ARM distribution for the Pi 2 from the CentOS wiki site, which contains images for other small board computers as well. If you are using the Raspberry Pi 3, you should use that image instead.

Note that the image name may change as newer images are made available. You should always use the most recent image. I uncompressed the downloaded xz image file (using unxz), and then used the dd command to install the image onto an 8GB microSD card.

dd if=CentOS-Userland-7-armv7hl-Minimal-1511-RaspberryPi2.img of=/dev/sdx

Be sure to specify the correct location of your microSD drive on your machine.

No additional steps are required to make the microSD card bootable. I inserted the card into the microSD card slot on the Pi board. I then plugged the micro-USB connector from the power supply into the power connector on the Pi to boot up to a command line interface login prompt.

Initial configuration

I logged in as root using the default password of "centos" (without the quotes) and immediately changed the root password. I changed the hostname in /etc/hostname and followed the instructions in /root/README to expand the root partition to fill all the available space on the microSD card. This included a reboot.

At this point, I connected the on-board network adapter to my internal network so I could install more software and test the network functionality. I installed various utilities that I find useful, including which, screen, vim, rwhois, mlocate, Midnight Commander (mc), mailx, bind-utils, chrony, and wget.

Some other favorites of mine, such as atop and htop, are not yet available from the CentOS repository. I did not install these all at one time because I was unaware of which ones were missing. Instead, I had to run into the problem that a needed tool was not installed and then install it as I progressed through the other steps of this process. Hopefully, this list will make things a bit easier for you. Of course, you may use some tools that I don't, and they may be missing too.

I use SSH keys for logins from my network, so I copied the SSH public key from my primary internal workstation to the Pi using ssh-copy-id.

A second network interface

Because this Pi is to be used as a firewall, I needed another network adapter. After taking eth0 down, I added an ASIX AX88178 USB Gigabit Ethernet dongle. I disconnected my internal network from the on-board network adapter and connected it to the dongle. I configured the dongle as eth1 with a static address on my internal network and I configured the on-board Ethernet with a static external address and connected it to my ISP's router. Be sure to use the HWADDR= line in the interface configuration files to set the MAC address that the configuration file pertains to. I also added the gateway IP address and at least two name servers to the interface configuration file for the inside adapter.

I brought both network adapters up and used ifconfig and a couple ping commands to verify that the network adapters were bound to the correct IP addresses and working properly. Now I could login to the Pi from a terminal session on my main workstation and continue working from there.

Updates and more configuration

It was now time to install all updates and reboot—which I did. I do find it interesting that both current versions of CentOS for ARM use things like firewalld and systemd, but still use yum instead of dnf for high-level package management.

I have some aliases and startup commands that I always add to my environment when I install a new host. These commands can be added to /etc/bashrc, or better yet, as a separate file, /etc/profile.d/mybash.sh. Any file in /etc/profile.d with a .sh filename extension is sourced by /etc/bashrc during login.

Date and time

This version of CentOS does not have any type of time synchronization installed by default, so I installed chrony and configured chrony.conf with my local NTP time server. I started chronyd, and configured systemctl to start chronyd on boot. I also set the /etc/localtime symlink to point to the desired timezone data file.

Firewall

The new firewalld is really overkill for my environment, so I installed iptables-services and iptables-utils. I configured a default /etc/sysconfig/iptables file, then, after turning down the external network connection, I stopped firewalld and configured systemd to not start it on boot. I started iptables and configured systemd to start it on boot. I then brought the external network connection back up.

Violà!

Once you reach this point, the Pi is fully functional as a firewall and side door.

It would be easy to take two more steps and make it into a router. First, set the contents of the file /proc/sys/net/ipv4/ip_forward to "1" and then add or set the following line in /etc/sysctl.conf to "net.ipv4.ip_forward = 1", which makes your computer a router. Then add appropriate lines for source NATing and forwarding to the iptables firewall.

I just received three new Raspberry Pi 3 computers yesterday. I already have one set up with the CentOS-Userland-7-armv7hl-Minimal-1602-RaspberryPi3.img image and will finish configuring it over the next few days to become my primary firewall and router.

 

IPTables Rules

One person has asked in the comments to see the IPTables rules I used for this project, and I suspect that others are interested as well, so here they are. It is a fairly standard minimal set that only allows SSH inbound.

# Generated by iptables-save v1.4.16.2 on Thu Feb 21 14:51:28 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Feb 21 14:51:28 2013

 

David Both
David Both is an Open Source Software and GNU/Linux advocate, trainer, writer, and speaker. He has been working with Linux and Open Source Software since 1996 and with computers since 1969. He is a strong proponent of and evangelist for the "Linux Philosophy for System Administrators."

11 Comments

Great to hear. I have been thinking of setting up a Raspberry Pi as a firewall before but wasn't sure about the USB Ethernet dongles and if they would be fast enough.

I only have the first generation (Model B) currently, which I don't know if it is too under-powered. Maybe I should look at RPi 2?!

I have a 1st Gen Pi model B, also, but wanted to use the Pi 2 B which is not faster, but has more USB ports and which runs CentOS for Pi; the Pi 1 does not run CentOS so you should o with the Pi 2B.

Remember, I am not using this Pi for traffic, just as a firewall that I can use to login to my network remotely. However, I now have a Pi 3B set up as my firewall / router that does handle all of my outside traffic for three web sites and an email server. Using SAR - see my article on SAR "System statistics with sar and the /proc filesystem" on this web site at https://opensource.com/business/16/3/system-statistics-sar-and-proc-fil… - shows that neither the 2B or the 3B ever uses more than 5% of its CPU power, even during my nightly backups.

Also, very subjectively, the Pi firewalls actually seem to be faster when I login remotely.

I get about 1500 emails (mostly SPAM) and 150 web hits a day so my network is very low volume. I would really like to hear from someone who tries the Pi out on a network with a much higher volume to see how it stands up.

If you would like, I can let you know which USB dongle I used for this. I don't have that info right now as I am traveling.

Thanks for your comment.

In reply to by dragonbite

I had been running a pi2 as my home router/firewall for the last year and I loved it. I used Arch, so I enjoyed reading about your use of CentOS. Very happy with how far the pi ecosystem has come in a few short years!
However, I was recently upgraded to TWC Maxx which gives me 300Mb downstream. This meant my pi2 was now a bottleneck since pi's ethernet is limited to 100Mb. D'oh! Even if you add on two gigabit dongles and don't use the built-in ethernet, pi2 & pi3 only have USB2 which is shared among all USB, so total bandwidth is limited to theoretical max 480Mbit, and I never saw more than about ~280Mbit in real-world testing.
Also, as a router, it has to pull data in the public interface and send it out private, so the effective throughput is half of whatever your bus is capable of. My 300Mbit was being bottlenecked by my pi2 to only ~140Mbit or so. :(
If your internet connection is 100Mbit or less, then the pi is a great choice. If you have more bandwidth than 100Mbit but still like the idea of a small RM-based router, then the odroid-xu4 is your ticket: native gigabit and also USB3, so that your gigabit dongles can run full speed also. That's what I'm using now and after replacing the loud stock fan with a passive cooler, I'm very happy with it as my new internet router/firewall.

In reply to by dboth

Great article David. I use my PI2 mainly for media severs but I do have one acting a file sharing server. As of right now, I am using IPFire as my firewall software on a regular desktop. I might try to see if IPFire will run on either the PI2 or PI3 as I never really have thought of the PI as something like a firewall.

Again, thank you David for the insight and a great article.

One of the best articles I have seen. So many other how to articles miss certain components that you covered so well.

In reply to by bmaynard

I use IPFire on several RPi:s and it works very well according to my experience. IPFire is really easy to set up and is very reliable. There are ARM images for IPFire ready to run on the RPi. I mostly use IPFire as a "public-WLAN-to-private-LAN-bridge" and by that I mean connecting the IPFire "red" interface (external) to a public WLAN and connect the ETH interface (green) to the WAN port of an ordinary ADSL router with built in WLAN (a standard home router in other words) and then distribute it to my own "local" clients. This mainly serves two purposes, 1) avoiding to directly connect to a public WLAN (plus the fact that I can apply VPN capabilities for all "local" clients if I want to "hide" my traffic on the public WLAN I'm connecting to at the moment), 2) being able to pull down a public WLAN signal that for some reason would be too weak for tablets, etc. and distribute it closer to my clients with better signal. I use this when on vacation with the family and the hotel has a weak signal that makes the kids go mad when they stream media, etc. In this case I can put the IPFire RPi in some optimal location and also have a much more powerful NIC/antenna that can pull down the signal much better than smaller less powerful devices. I also use this "setup" at work when stationed in a place for a longer period of time. I would recommend trying out IPFire on the RPi.

In reply to by bmaynard

Very nice article !
I didn't know CentOS had a Pi version ( I'm currently using the fedora one ), where did you find the CentOS-Userland-7-armv7hl-Minimal-1602-RaspberryPi3.img image?
Also it could be great if you can share your iptable setup and rules, as I'm thinking of using one of my new raspberry Pi 3 as a firewall.

You may find a second USB network interface faster than the Pi's onboard NIC. USB 3 nic may offer more performance, even if limited to USB interfaces. A strong Powered hub can drive the Pi and accessories. Hubs with a charging port may limit the number of power supplies a full Pi system requires.. It will be interesting to see how the Pi 3's onboard WiFi works in wireless router/ access point applications. Thanks for more on an under supported use of the PI. With router getting locked down, the Pi offers an open source alternative.

I have added the IPTables rules at the bottom of the article. Thanks for that suggestion, Tinsjourney.

what kind of throughput are you seeing using this solution?

I have not really set up a valid speed test for the firewall that can take it to the max, but using speedtest-cli from insode my network, Iget 17.49 Mb down and 2.35Mb up which is over the 15/2 I am supposed to get from TWBC. So I get the best my ISP is prepared to give me.

In reply to by zenmaster24 (not verified)

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.