User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

The Raspberry Pi is a nice system which is used a lot of time to provide server services to be accessible from worldwide. That's Owncloud, a HTTP server, seafile or other services..

A VPN is the right way to access the server in a secure way. But if you want to give a lot of people access there is no way other than to allow access direct from the internet. Usually you use a DMZ for this but that's a feature a normal home router doesn't have. But now you should protect the Raspberry from internet access as far as you can and also protect your home network from access from the pi server when an intruder managed to get access to the pi. But note: If an the intruder managed to get root access then the iptables firewall can be turned off very quickly. So it's very important to get SW updates on a regular base.

Following article describes how to configure an iptables firewall to protect it from unauthorized access from the internet and to protect a local home network to be attacked from the server - just in case.


Important: All these actions are as usefull as secure the access to a root account is. This said, you should make sure the software is up to date all the time with security updates - in particular the services you're offering to the internet, e.g apache, owncloud, seafile, ... It's very important to disable direct root access if the ssh daemon is also accessible from the internet. The right approach would be to use a DMZ but in general a standard home router doesn't offer this capability. See this link - How to protect a ssh server from internet access for details how to secure a ssh server.

Following pages describe how to protect a local seafile server with a firewall. Protection of other server daemons just uses other ports but should be similar. If you want to use the rules adapt the local server IP and the local net used to your local environment.

My local net has following characteristics and has to be adapted:

1) Gateway (Router = Fritz 7390): 192.168.0.1

2) Lokal network: 192.168.0.0/255.255.255.0

 

Your local server will be secured as follows:

1) Every access to the local network or to the local internet gateway is blocked.

2) There are only some ports open to be accessible from the internet (In this example teh seafile ports). 

3) Every client from the local network can acces the ssh server

4) Invalid access requests which don't follow thw normal TCP/IP protocoll are blocked

 

Execute following steps to create and activate the firewall:

1) Create a firewall file /etc/network/iptables

2) Create a file /etc/network/if-pre-up.d/firewall with following contents to activate the firewall during system startup

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables

Seafile server uses tcp ports 8001, 8082, 10001 and 12001. My local network is 192.168.0.0/24 and the local router uses IP 192.168.0.1. Adapt all theses values to your local environment.

# Generated by iptables-save v1.4.14 on Tue Oct 28 21:05:48 2014
*filter
# default is drop all input
:INPUT DROP [103:11216]
:FORWARD DROP [0:0]
# default is to drop all output
:OUTPUT DROP [92:8720]

# logger
-N LOGNDROP  
-F LOGNDROP
-A LOGNDROP -j DROP
-A LOGNDROP -j LOG --log-prefix "LOGNDROP: "

# accept all local
-A INPUT -i lo -j ACCEPT

# accept all established sessions
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop requests in INVALID state
-A INPUT -m state --state INVALID -j DROP

# DROP INVALID SYN PACKETS
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOGNDROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGNDROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOGNDROP

# MAKE SURE NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM
-A INPUT -p tcp ! --syn -m state --state NEW -j LOGNDROP

# drop udp
-A INPUT -p udp -j DROP

# DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
-A INPUT -f -j LOGNDROP

# DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j LOGNDROP

# DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j LOGNDROP

# accept all requests for seafile ports
-A INPUT -p tcp -m multiport --dports 8001,8082,10001,12001 -m state --state NEW -j ACCEPT

# accept ssh request from local network
-A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

# accept local broadcasts
-A INPUT -s 192.168.0.0/24 -d 192.168.0.255 -j ACCEPT
-A INPUT -d 255.255.255.255 -j ACCEPT

# accept multicasts
-A INPUT -d 224.0.0.1/32 -j ACCEPT

# accept pings from local network
-A INPUT -s 192.168.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

# drop pings otherwise (no logging please)
-A INPUT -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "INPUT:DROP:PING" --log-level 6

# drop 7390 pings from fritz
-A INPUT -s 192.168.0.1/32 -p tcp --dport 14013 -j DROP

# log dropped request
-A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6

# DROP INVALID SYN PACKETS
-A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOGNDROP
-A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGNDROP
-A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOGNDROP

# DROP PACKETS WITH OUTGOING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
-A OUTPUT -f -j LOGNDROP

# DROP OUTGOING MALFORMED XMAS PACKETS
-A OUTPUT -p tcp --tcp-flags ALL ALL -j LOGNDROP

# DROP OUTGOING MALFORMED NULL PACKETS
-A OUTPUT -p tcp --tcp-flags ALL NONE -j LOGNDROP

# accept established requests of seafile
-A OUTPUT -p tcp -m multiport --sports 8001,8082,10001,12001 -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept established ssh connections from local network
-A OUTPUT -d 192.168.0.0/24 -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept output to send email
-A OUTPUT -p tcp --dport 587 -j ACCEPT

# accept local
-A OUTPUT -o lo -j ACCEPT

# accept all stuff directed to router
-A OUTPUT -d 192.168.0.1 -j ACCEPT

# allow ping replies
-A OUTPUT -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT

# log dropped requests
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" --log-level 6
COMMIT

Warning: When the firewall is activated there is access to the firewall only possible with ssh from the local network. There are no software updates possible any more.

In order to update your raspberry you should execute the following commands on a regular base:

sudo iptables -I OUTPUT -j ACCEPT       # erlaube download vom Internet 
sudo apt-get update
sudo apt-get upgrade
sudo iptables -D OUTPUT -j ACCEPT # blockiere jeglichen Zugriff auf das Internet wieder

If there are any connection problems you can check with following command what's blocking the access. In addition you can check for invalid access tries.

less +F /var/log/messages
Add comment

*** Note ***

Comments are welcome. But in order to reject spam posts please consider following rules:
  1. Comments with string http are rejected with message You have no rights to use this tag
  2. All comments are reviewed by hand and thus it usually takes one day until a comment will be published.