Simon The Pi Man bookstore
Buy your Pi from Premier Farnell UK
Mmmm Raspberry Pi
Simon the Pi Man
To Infinity (probably) and beyond
(A beginners Resource for the Raspberry Pi computer using the Debian distro)
since June 2012
Keep up to date with our RSS feed

If you are looking for info on the Raspberry Pi computer stay on this site
however
If you are looking for a good cafe in Rye in East Sussex try "Simon the Pie man" near the church.

How2Setup a Raspberry Pi for safe connection to the Internet


One of a set of simple easy to use guides for beginners to set up a Raspberry Pi computer.


My thanks go to John Beale of http://bealecorner.com and
Andrew Scheller of http://www.andrewscheller.co.uk, also Huene for their help in improving this tutorial

This guide explains how to setup a Raspberry Pi Server so that it can safely be connected to the "Big Bad Internet" and blocked from all the hackers and Script Kiddies out there via a DMZ(De Militarised Zone) on your Router. I will be configuring the Web Server I documented in (How2Setup 6.Web Server with php) for Internet connectivity.

1. Firstly - make sure your pi user password is changed from raspberry(the default) (See Beginners Guides - 6 Change my Pi password )

2. Secondly we need to update the Raspberry Pi Unix Kernel(the Kernel is the main operating system of the Raspberry Pi) so that it supports the iptables firewall - so lets get the latest CA(Certificate Authority) certificates.
pi@raspberrypi:~$ sudo apt-get install ca-certificates

3. Next we need to get the Hexxeh rpi-update program
NOTE the whole piece in red has to be typed in without any carriage returns.
pi@raspberrypi:~$ sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

4. We now need to install the git(Kernel directory content management system) core , this is the main software to access the latest Unix build.
pi@raspberrypi:~$ sudo apt-get install git-core

5. We now need to update the Raspberry Pi Kernel to the latest Unix build.
pi@raspberrypi:~$ sudo rpi-update
This seems to take a few minutes so be patient and wait till the pi@raspberrypi:~$ re-appears.

6. We have updated the kernel, but this wont take effect until a reboot - so
pi@raspberrypi:~$ sudo reboot
If you are logging in remotely then your Raspberry Pi session will drop, so wait about a minute and re-try logging back into your Pi

7. At this point we need to check your Routers I.P. address
pi@raspberrypi:~$ sudo grep gateway /etc/network/interfaces

------------------------------------------------------
gateway 192.168.1.1
------------------------------------------------------

As we will be blocking all traffic from there except for port 80 and 443

8. We will now be setting up the iptables rules so that external visitors can see our website, but cant login to our Pi from the Internet so we first need to run the following command.
NOTE there are 2 ' in this line they are required.
pi@raspberrypi:~$ sudo bash -c 'iptables-save > /etc/network/iptables'
This will write a file to /etc/network/iptables, which is the file we will use to initiated iptables from on a system boot.

9. Now let us setup the file so a reboot keeps the iptables configuration to do this we need to edit the /etc/network/interfaces file.
pi@raspberrypi:~$ sudo vi /etc/network/interfaces
The following line need to be added to the end of the file

------------------------------------------------------
pre-up iptables-restore < /etc/network/iptables
------------------------------------------------------

This means that before the network starts setup the iptables from our config file.

10. We now need to edit the iptables file to set the firewall rules.
pi@raspberrypi:~$ sudo vi /etc/network/iptables
The following lines need to be added to your file, the item, in blue is your router IP(Internet Protocol) and red is your network address.
-------------------
*filter
:INPUT DROP [23:2584]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1161:105847]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.1/32 -i tcp -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
------------------------------------------------------ A quick explanation of the above entries
:INPUT DROP
- this means dont accept any incoming network traffic unless a following rule overrides.
:FORWARD ACCEPT
- this means accept any forwarding requests
:OUTPUT ACCEPT
- Allow any outbound network traffic
-A INPUT -i lo -j ACCEPT
- Allow any connections from the local host
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
- Allow all traffic via port 80 (This is the port used for http)
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
- Allow all traffic via port 443 (This is the port used for https)
-A INPUT -s 192.168.1.0/24 -j ACCEPT
- Allow all traffic from the internal LAN
-A INPUT -s 192.168.1.1/32 -i tcp -p tcp -m tcp --dport 22 -j DROP
- However block any traffic to port 22 (ssh) coming from your firewall
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- Allow ping traffic so you can test from outside, delete this line once you have finished testing.
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- Finally allow inbound access to any internally generated requests
COMMIT
- Finally commit the entries to the firewall

11. We have written the firewall rules now we need to load them into the firewall.
pi@raspberrypi:~$ sudo iptables-restore /etc/network/iptables
This should have loaded the rules into the firewall.

12. You can check this has worked by typing
pi@raspberrypi:~$ sudo iptables-save
This should list the rules you have just created.
NOTE:- If you are now locked out of your Pi then something went wrong (iptables can be very picky), connnect your Pi to a Television and then re-edit the /etc/network/iptables file - iptables doesnt effect connections from the system console

OK your Raspberry Pi webserver is reasonably secure - no such thing as a guarantee though.
So now you can allow access to the Raspberry Pi via the DMZ in your router.

simonthepiman.com 2012
email:
simon@simonthepiman.com
 


See other gifts available on Zazzle.

Premier Farnell UK


hosted by VillageNetThe Raspberry Pi Foundation is a UK registered charity which exists to promote the study of computer science and related topics, especially at school level, and to put the fun back into learning computing.

Please Note:- any mention of the Raspberry Pi computer on these pages refers to the Raspberry Pi Foundation's product, who also have trademark rights to the term 'Raspberry Pi'.