{"id":297,"date":"2018-03-18T21:17:52","date_gmt":"2018-03-19T01:17:52","guid":{"rendered":"https:\/\/itp.nyu.edu\/networks\/?page_id=297"},"modified":"2020-09-10T06:20:27","modified_gmt":"2020-09-10T10:20:27","slug":"setting-up-a-firewall-on-an-embedded-linux-device","status":"publish","type":"page","link":"https:\/\/itp.nyu.edu\/networks\/setting-up-a-firewall-on-an-embedded-linux-device\/","title":{"rendered":"Setting Up a Firewall on a Linux Device"},"content":{"rendered":"\n<p>When you run an embedded linux device like a Raspberry Pi, BeagleBone, or similar device, you&#8217;re running a full operating system. Operating systems run all kinds of services in the background, to make your life convenient. Services like an ssh server, an http server,&nbsp; or a mail server spend much of their time listening on network ports and responding to requests. That means they can be exploited by malicious requests. Because of this, it&#8217;s a good idea to set up a <strong>firewall<\/strong> to block unwelcome requests.<\/p>\n\n\n\n<p>These firewalls also apply to a POSIX server instance like you might set up on Digital Ocean, Dreamhost, AWS, or other hosting services.<\/p>\n\n\n\n<p>In order to get the most out of this tutorial, you should be familiar with the command line interface for Linux or other POSIX operating environments. You should have <a href=\"https:\/\/itp.nyu.edu\/networks\/tutorials\/setting-up-a-raspberry-pi\/\">set up an embedded device like a Raspberry Pi<\/a> or BeagleBone as well. These instructions assume you&#8217;re using the Debian or Raspbian distributions of Linux.<\/p>\n\n\n\n<p>Firewalls set the rules for what your device&#8217;s network interfaces (e,.g. WiFi, Ethernet, etc) should do with incoming or outgoing data packets. There are two common firewall packages for linux, iptables and ufw, both of which work well on embedded linux devices.<\/p>\n\n\n\n<p>For a few tips on Linux security, see the <a href=\"https:\/\/wiki.ubuntu.com\/BasicSecurity\/DidIJustGetOwned\">Ubuntu page on basic security<\/a>. There are a number of useful tips on the various log files you should know about to keep track of your device&#8217;s security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Installing_and_Configuring_the_ufw_Firewall\"><\/span>Installing and Configuring the ufw Firewall<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><a href=\"http:\/\/manpages.ubuntu.com\/manpages\/xenial\/man8\/ufw.8.html\">Ufw<\/a>, or Uncomplicated Firewall, is a firewall designed to work with well-known services like HTTP, SSH, and other popular linux services. It&#8217;s got an interface that&#8217;s relatively easy to remember. It&#8217;s actually a simplified wrapper around the more complex and powerful iptables firewall. By default, ufw disables all traffic incoming and outgoing. From there, you add rules to allow the kinds of traffic that you want.<\/p>\n\n\n\n<p>For more on ufw, see<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.linux.com\/learn\/introduction-uncomplicated-firewall-ufw\">An Introduction to ufw<\/a><\/li><li><a href=\"https:\/\/manpages.ubuntu.com\/manpages\/eoan\/en\/man8\/ufw.8.html\">ufw man page<\/a><\/li><li><a href=\"https:\/\/wiki.debian.org\/Uncomplicated%20Firewall%20%28ufw%29\">Debian ufw wiki page<\/a><\/li><li><a href=\"https:\/\/linode.com\/docs\/security\/firewalls\/configure-firewall-with-ufw\/\">How to Configure a Firewall with ufw<\/a><\/li><li>A helpful post on the Ubuntu forums about <a href=\"https:\/\/help.ubuntu.com\/community\/UFW\">using ufw<\/a><\/li><\/ul>\n\n\n\n<p>First you need to install ufw. Assuming you&#8217;ve updated your package manager, start by installing ufw:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">$ sudo apt-get install ufw<\/pre>\n\n\n\n<p>Once it&#8217;s installed, you can set defaults to allow outgoing traffic and deny incoming:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">$ sudo ufw default allow outgoing\n$ sudo ufw default deny incoming<\/pre>\n\n\n\n<p>This would disconnect your ssh connection if you enabled it now, so you might want to enable ssh connections before you enable the firewall. The following line will enable TCP connections on port 22, the default ssh port:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">$ sudo ufw allow ssh<\/pre>\n\n\n\n<p>If you&#8217;re planning to run an HTTP server, or an HTTPS server, you&#8217;ll need to enable them as well. You can specify not only the application (http, https), but also the transport protocol, like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">$ sudo ufw allow http\/tcp\n$ sudo ufw allow https\/tcp<\/pre>\n\n\n\n<p class=\"p1\"><span class=\"s1\">More specific rules ensure that someone won&#8217;t try a sneaky attack like flooding UDP packets through your open HTTP ports. If you&#8217;re planning to do custom server development, you might want to enable the ports you&#8217;ll use for that as well. These settings are typical for node.js development.&nbsp;<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">$ sudo ufw allow 8080\/tcp\n$ sudo ufw allow 8081\/tcp<\/pre>\n\n\n\n<p>Port 8081 is used by the p5.serialserver, which is common at ITP.<\/p>\n\n\n\n<p>Once you&#8217;ve configured your firewall, you enable it like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ sudo ufw enable<\/pre>\n\n\n\n<p class=\"p1\">You should reboot once you do this, to check that everything is in order. Once enabled, you can get a status report from ufw like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">sudo ufw status<\/pre>\n\n\n\n<p>You should get a reply like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted p1\">Status: active\n\nTo                         Action      From\n--                         ------      ----\n22\/tcp                     ALLOW       Anywhere                  \n80\/tcp                     ALLOW       Anywhere                  \n443\/tcp                    ALLOW       Anywhere                  \n8080\/tcp                   ALLOW       Anywhere                  \n8081\/tcp                   ALLOW       Anywhere                  \n22\/tcp (v6)                ALLOW       Anywhere (v6)             \n80\/tcp (v6)                ALLOW       Anywhere (v6)             \n443\/tcp (v6)               ALLOW       Anywhere (v6)             \n8080\/tcp (v6)              ALLOW       Anywhere (v6)             \n8081\/tcp (v6)              ALLOW       Anywhere (v6)  \n<\/pre>\n\n\n\n<p>Now you&#8217;re finished. However, if you&#8217;d like to know more about iptables, the more complex firewall on which ufw is built, read on. You don&#8217;t need to install both iptables and ufw; in fact, installing both can cause problems. But if you&#8217;re interested in firewalls, it can be interesting to understand the difference. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Installing_and_Configuring_the_Iptables_Firewall\"><\/span>Installing and Configuring the Iptables Firewall<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><a href=\"http:\/\/manpages.ubuntu.com\/manpages\/trusty\/man8\/iptables.8.html\">Iptables<\/a> is a more complex firewall than ufw. It&#8217;s harder to understand at first, but allows for a wide range of possible rules. The firewall rules explained here will block access to all incoming traffic except that on port 22, which is the standard port for ssh connections; &nbsp;ports 80, 443, which are the standard ports HTTP traffic; and port 8080, which is a common port for node.js servers. Based on this example, you should be able to add or delete ports to your firewall configuration when you need them.<\/p>\n\n\n\n<p>For more on iptables, the firewall used here, see:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-the-iptables-firewall-works\">How the Iptables Firewall Works<\/a> (a good in-depth introduction)<\/li><li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04\">How To Set Up a Firewall Using Iptables on Ubuntu 14.04<\/a> (not exactly for embedded devices, but a good explanation)<\/li><li><a href=\"https:\/\/blog.onetwentyseven001.com\/iptables-security-part-ii\">Raspberry&nbsp;Pi: IPtables <\/a>(a good starting place for iptables on the Pi)<\/li><\/ul>\n\n\n\n<p>Iptables works by establishing rules for what your computer should do with incoming packets. It establishes rules for incoming packets (input), outgoing packets (output) and packets that are not addressed to your computer, but are for another device (forwarding). Forwarding rules are mainly relevant for routers, since forwarding packets is a central part of their job. A rule can accept or drop a given packet. You organize the rules in your firewall&#8217;s configuration from the most permissive to the most restrivtive. For example, you might start with rules that&nbsp;accept all packets, then filter them through rules that reject some packets, then finish with a rule that drops any packets not already handled&nbsp;by other rules.<\/p>\n\n\n\n<p>The iptables firewall program is part of the Raspbian distribution, but it will not save rules when you shut down, so you need to install iptables-persistent if you want to set rules that will last after reboot. Install iptables-persistent:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ sudo apt-get install iptables-persistent<\/pre>\n\n\n\n<p>When you do this, the application will ask you a few questions about setup, including whether you want to save the rules in the \/etc\/iptables\/ directory. Say yes to all questions asked. Once its installed, you need to set up rules. To get started, you can get a list of the current settings&nbsp;&nbsp;like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo iptables -S<\/pre>\n\n\n\n<p>This should give you an output like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT<\/pre>\n\n\n\n<p>It&#8217;s telling you that iptables will accept packets that are input from a remote source, output from your computer, or forwarded through your device. This is the most permissive setting you can have.<\/p>\n\n\n\n<p>The rules for iptables are saved in the&nbsp;<em>\/etc\/iptables\/<\/em> directory as two files, <em>rules.v4<\/em> and <em>rules.v6<\/em> for IP version 4 and IP version 6. &nbsp;There&#8217;s a separate utility, <em>ip6tables<\/em>, that manafes firewalls for IPv6 traffic. For this exercise, you&#8217;ll just modify <em>rules.v4<\/em>. You can add rules one by one from the command line (see this tutorial for good examples of this), or you can add them all to the file at once. To do the latter, open the file with the nano text editor like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ sudo nano \/etc\/iptables\/rules.v4<\/pre>\n\n\n\n<p>The default setting will look like this (the dates and process numbers will be different for your file):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># Generated by iptables-save v1.4.21 on Fri Jun 2 12:06:45 2017\n*filter\n:INPUT ACCEPT [200:60125]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [61:3865]\nCOMMIT\n# Completed on Fri Jun 2 12:06:45 2017<\/pre>\n\n\n\n<p>To add the rules described earlier, add lines after the :OUTPUT ACCEPT line and before the COMMIT line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-A INPUT -i lo -j ACCEPT\n-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT\n-A INPUT -i wlan0 -p tcp -m tcp --dport 443 -j ACCEPT\n-A INPUT -i wlan0 -p tcp -m tcp --dport 8080 -j ACCEPT\n-A INPUT -i wlan0 -p tcp -m tcp --dport 8081 -j ACCEPT\n-A INPUT -s <em>192.168.0.1<\/em>\/32 -i tcp -p tcp -m tcp --dport 22 -j DROP\n-A INPUT -s <em>192.168.0.0<\/em>\/24 -j ACCEPT\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -j REJECT\n-A FORWARD -j REJECT<\/pre>\n\n\n\n<p>The first line tells the firewall to accept all incoming traffic from this computer itself, on the <strong>loopback<\/strong>&nbsp;interface (<strong>lo0<\/strong>).<\/p>\n\n\n\n<p>The second through fourth rules tell it to accept incoming TCP traffic on the WiFi interface (<strong>wlan0<\/strong>) on ports 80, 443, and 8080. 80 and 443 are the standard HTTP ports, and 8080 and 8081 are common&nbsp;ports for node.js server applications. You can add another rule like these if you want to accept on another port.<\/p>\n\n\n\n<p>The fifth rule tells the firewall to accept traffic from your local network. You need to change the address <em>192.168.0.0<\/em> to your device&#8217;s IP address. &nbsp;The sixth rule tells it to drop packets coming from your router on port 22.<\/p>\n\n\n\n<p>This prevents ssh logins from outside your local network. Change the IP address to the address of your router. &nbsp;If you&#8217;re operating in an institution with multiple networks like ITP, this rule might prevent you from logging into your device, if your computer and your device are on different local networks. If so, delete it.<\/p>\n\n\n\n<p>The next rule allows incoming traffic that comes in response to&nbsp;any outgoing requests. For example, if you make a request using curl, this rule allows connections from the remote site that you contacted.<\/p>\n\n\n\n<p>The final rules tell the firewall to reject all other traffic.<\/p>\n\n\n\n<p>These rules are far from comprehensive, but they set&nbsp;a good place to start. Once you&#8217;ve set the rules, save and close the file by typing control-X then Y to confirm save. Then tell iptables to update its rules from this file like so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ sudo iptables-restore \/etc\/iptables\/rules.v4<\/pre>\n\n\n\n<p>Then to save the rules:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$sudo iptables-save<\/pre>\n\n\n\n<p>You can always list the rules again if you want to check using <em>sudo iptables -S<\/em> or <em>sudo iptables -L<\/em>. If you want to delete your rules and start with a fresh set, either delete them from the rules file, or use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ sudo iptables -F<\/pre>\n\n\n\n<p>to flush them all. Don&#8217;t forget to update with <em>iptables-restore<\/em> and <em>iptables-save<\/em> if you want your fresh start to be persistent.<\/p>\n\n\n\n<p>With one of these installed, you&#8217;ll have a reasonably secure embedded linux environment in which to experiment. You&#8217;ll need to customize these rules depending on the applications you plan to run, of course, but this provides a reasonable starting point.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you run an embedded linux device like a Raspberry Pi, BeagleBone, or similar device, you&#8217;re running a full operating system. Operating systems run all kinds of services in the background, to make your life convenient. Services like an ssh server, an http server,&nbsp; or a mail server spend much of their time listening on &hellip; <a href=\"https:\/\/itp.nyu.edu\/networks\/setting-up-a-firewall-on-an-embedded-linux-device\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Setting Up a Firewall on a Linux Device&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-297","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/pages\/297"}],"collection":[{"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/comments?post=297"}],"version-history":[{"count":12,"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/pages\/297\/revisions"}],"predecessor-version":[{"id":830,"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/pages\/297\/revisions\/830"}],"wp:attachment":[{"href":"https:\/\/itp.nyu.edu\/networks\/wp-json\/wp\/v2\/media?parent=297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}