How to create a Raspberry Pi-powered firewall

Setting up a Raspberry Pi as a firewall is a cost-effective way to enhance your network security.

This tutorial explains how to configure a Raspberry Pi-powered firewall using iptables and Raspberry Pi OS.

Requirements

1. A Raspberry Pi (Pi 3, 4, 5 or later recommended for better performance. I used a Raspberry Pi 4).
2. MicroSD card (8GB or larger).
3. Two network interfaces:
   • Built-in Ethernet (for WAN or LAN).
   • USB-to-Ethernet adapter or Wi-Fi adapter (for the second interface).
4. Raspberry Pi OS (Lite version recommended for minimal resource use. I just used the standard one as I already had a SD card setup with this).
5. Basic knowledge of Linux and networking.

Step 1: Prepare Your Raspberry Pi

Install Raspberry Pi OS

1. Download and install Raspberry Pi Imager.
2. Flash Raspberry Pi OS (Lite) to the microSD card.
3. Enable SSH:
   • After flashing, create a file named ssh (no extension) in the boot partition.
4. Insert the microSD card into the Raspberry Pi and power it on.

Access the Raspberry Pi

1. Find the Pi’s IP address using your router’s admin panel or a network scanner.
2. SSH into the Raspberry Pi:

   ssh pi@<IP_ADDRESS>
   

   Default username: pi, password: raspberry.

3. Update the system:

   sudo apt update && sudo apt upgrade -y
   

Step 2: Configure Network Interfaces

Assign Interfaces

• Determine the interfaces:

  ip link
  

  Typically, eth0 is the built-in Ethernet, and eth1 is the USB-to-Ethernet adapter.

Static IP Configuration

Edit the dhcpcd.conf file to assign static IPs to the interfaces:

sudo nano /etc/dhcpcd.conf

For eth0 (WAN):

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 8.8.4.4

For eth1 (LAN):

interface eth1
static ip_address=192.168.2.1/24

Restart dhcpcd:

sudo systemctl restart dhcpcd

Step 3: Enable Packet Forwarding

1. Edit the sysctl.conf file:

   sudo nano /etc/sysctl.conf
   

2. Uncomment or add:

   net.ipv4.ip_forward=1
   

3. Apply changes:

   sudo sysctl -p
   

Step 4: Install and Configure iptables

Install iptables-persistent

sudo apt install iptables-persistent -y

Set Up Basic Firewall Rules

1. Flush existing rules:

   sudo iptables -F
   sudo iptables -t nat -F
   sudo iptables -X
   

2. Define rules:

   # NAT for internet access
   sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   
   # Allow established connections
   sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
   sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
   
   # Block everything else (optional)
   sudo iptables -A FORWARD -j DROP
   

3. Save the rules:

   sudo sh -c "iptables-save > /etc/iptables/rules.v4"
   

Step 5: Configure DHCP for LAN

Install and configure dnsmasq to provide DHCP for LAN devices:

sudo apt install dnsmasq -y

Edit the dnsmasq.conf file:

sudo nano /etc/dnsmasq.conf

Add:

interface=eth1
dhcp-range=192.168.2.10,192.168.2.100,255.255.255.0,24h

Restart dnsmasq:

sudo systemctl restart dnsmasq

Step 6: Test the Firewall

1. Connect a device to the LAN interface (via Ethernet or a Wi-Fi access point).
2. Check if the device receives an IP address in the range 192.168.2.x.
3. Test internet connectivity from the device.

Step 7: Advanced Firewall Rules

Block Specific IPs or Domains

To block traffic to a specific IP:

sudo iptables -A FORWARD -d 203.0.113.0 -j DROP

To block a specific domain (requires iptables + dnsmasq):

1. Edit /etc/hosts:

   sudo nano /etc/hosts
   

2. Add:

   0.0.0.0 example.com
   

Limit Bandwidth

Install tc (traffic control) for bandwidth management:

sudo apt install iproute2 -y

Add rules for bandwidth limiting:

sudo tc qdisc add dev eth1 root tbf rate 1mbit burst 32kbit latency 400ms

Log Dropped Packets

Enable logging for dropped packets:

sudo iptables -A FORWARD -j LOG --log-prefix "Dropped Packet: "

Monitor logs:

sudo tail -f /var/log/syslog

Step 8: Make Rules Persistent

Ensure iptables rules persist after reboot:

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

Step 9: Optional Enhancements

Add a Wi-Fi Access Point

1. Install hostapd:

   sudo apt install hostapd -y
   

2. Configure it as an access point to allow wireless connections to the LAN.

Enable VPN

Set up OpenVPN or WireGuard on the Raspberry Pi to route traffic securely through a VPN.

Monitor Traffic

Install tools like iftop or nload for traffic monitoring:

sudo apt install iftop nload -y
iftop -i eth0

Step 10: Maintain Your Firewall

1. Regularly update the Raspberry Pi:

   sudo apt update && sudo apt upgrade -y
   

2. Review logs periodically to identify suspicious activity.
3. Backup configurations:

   sudo cp /etc/iptables/rules.v4 ~/firewall-backup.rules
   

By following this guide, your Raspberry Pi will act as a robust firewall, protecting your network and giving you full control over traffic flow.