Translate

Wednesday, May 15, 2013

Installing iptables on Raspberry Pi

Why do we need iptables for RPi.
  1. Restrict connections to services if you are connected to the internet directly.
  2. Ability to control connections states and proper TCP connections.
  3. Ability restrict to allowed connections to the RPi from remote locations.
As you probably found out that the Raspberry Pi does not have iptables installed by default. This is a good thing unless you plan to connect your RPi to the internet. This leaves your SSH (if you have it enabled) connection open to attack if you don't plan to setup a more secure private key connection to SSH. Which I would suggest doing anyway. I plan cover that in a future blog.
Raspberry Pi

What I am planning to cover

  1. Install of iptables for RPi.
  2. Configure basic rules sets for connections to SSH and HTTP services.
  3. Create a script to save your rulesets.
  4. Setup loading rule sets on start-up or your RPi. 

Getting Started

Current overview of my configuration. Using an 8Gig SDCard. I downloaded these items.

 If you would like to setup a static IP or learning to connect to RPi via SSH view my blog here

Installing iptables

During this install of iptables I am going to install the package via SSH. By default iptables is set to allow all connections.
iptables install on Raspberry Pi

  1. Type "sudo apt-get install iptables". press Enter this will download and install the current available version of iptables to you RPi.

Adding rules to iptables

At minimum we want to have a few rules in our iptables. These rules are not for you to use your RPi as a firewall. Plus it would be difficult with only one NIC. You must do these in order or connections could fail. Rules go top down in order. Skip any rule except ones in blue.
iptables saved file
  1. Type "sudo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED". press Enter This will allow any connection that has been properly established and related to pass though. This is really only needed if you have opened a port like the rule 2. below.
  2. Type "sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT". press Enter. This will allow you to host a website on your RPi on port 80.
  3. Type "sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT". press Enter. This will allow you connect to your RPi via SSH.
  4.  Type "sudo iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT" press Enter. This will allow you access if you have TightVNC installed.
  5.  Type "sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT". press Enter. This will allow you to ping your RPi.
  6. Type "sudo iptables -P INPUT DROP". press Enter. This will block all inbound traffic not accepted by a rule.
  7. Now type "sudo iptables -L". press Enter. You should see your rules loaded.

Saving the configuration to a file

In this section I am going to simply cover saving your shiny new iptables configuration to a file. Then create a script to call iptables-save which will allow us to save the file anytime.
Script to save running iptables information
  1. Type "cd /etc | sudo iptables-save > iptables.conf". press Enter. This will save the currently running ruleset from memory into /etc/iptables.conf file.
  2. Type "cd ~/". press Enter. Put us in your home directory.
  3. Type "echo '#!/bin/bash' | sudo tee ~/savetables". press Enter. This is the header for the script file.
  4. Type "echo '/sbin/iptables-save > /etc/iptables.conf' | sudo tee -a ~/savetables". press Enter. This is the command to save the table information to /etc/iptables.conf file.
  5. Type "sudo chmod +x ~/savetables". press Enter. This will set the file to have execute permissions.
  6. Type "cd ~ | sudo ./savetables". press Enter. This command will allow you to save the configuration file anytime.

Applying rules to the eth0 interface to stay persistent

We are going to start off by creating a script file in the network directory to execute our iptables when our eth0 interface is up and running.
Load iptables on interface load Raspberry Pi
  1. Type "echo '#!/bin/bash' | sudo tee /etc/network/if-up.d/iptables". press Enter. This is the header for the script file.
  2. Type "echo '/sbin/iptables-restore < /etc/iptables.conf' | sudo tee -a /etc/network/if-up.d/iptables". press Enter. This is the command that will load our iptables on our eth0 interface.
  3. Type "sudo chmod +x /etc/network/if-up.d/iptables". press Enter. This will set the file to have execute permissions.
  4. Type "sudo reboot". press Enter. After your RPi comes back up you should now be able to type "sudo iptables -L" and see your rules listed under INPUT.

Known Issues

None


Monday, May 13, 2013

Install nginx 1.4.1 Raspberry Pi


Lets start off with why we need to get the latest update to ngnix.
  1. Current build of nginx from the Raspbian mirror for Raspberry Pi is out of date.
  2. Current "apt-get install nginx" has critical vulnerabilities. 
I just started messing with Raspberry Pi and wanted to setup a simple web server with the option for HTTPS, this being said I knew that nginx would provide me with a small foot print and very high speed web service.

What I am planning to cover

I will cover more than just installing nginx into your RPi.
  1. Setting Static IP to your RPi
  2. Connecting to your RPi via SSH
  3. Getting the source files for compiling your newer nginx 1.4.1
  4. Compiling and building a package for using nginx source.
  5. Installing your built package into RPi

Getting Started

Current overview of my configuration. Using an 8Gig SDCard. I downloaded these items.
After you setup this you many choices to connect to your RPi. I choose to use SSH to do most of my configuration remotely. Notice: RPi does not have iptables installed by default so I wouldn't connect your RPi direct to the internet without going through installing iptables.

Raspberry Pi

Setting Static IP

First off you will probably want to set a static IP address to your RPi for your web service and this will aid the connection for SSH later.
We will start using the built-in GUI for this basic task then move on to SSH.
    Raspberry Pi Static IP
  1. Open LXTerminal at the prompt type pi@raspberrypi ~ $ sudo nano /etc/network/interfaces
  2. Edit line "iface eth0 inet dhcp" change line to "iface eth0 inet static"
  3. Add these lines below "iface eth0 inet static"
  • address 192.168.40.20 # This is your ip static address for you RPi
  • netmask 255.255.255.0
  • network 192.168.40.0
  • broadcast 192.168.40.255
  • gateway 192.168.40.1 # This assumes your gateway (router) to the internet is at .1
Here is our output now press ctrl+o then press Enter to save the file. Then press ctrl+x to exit.
At the console prompt type "sudo reboot" now while our RPi is rebooting lets get our SSH client (Putty) software. Download Putty here


Connecting to RPi via SSH

Open Putty
    Raspberry Pi SSH connection
  • In the Host Name (or IP address) enter your IP address example: 192.168.40.20 or whatever you gave your RPi. 
  • Under Saved Sessions type RPi and click Save. 
  • You will now have faster access to your RPi via SSH. Click Open. 
  • You will now be prompted for Login as: type "pi" press Enter. At pi@192.168.40.20's password: type "raspberry" press Enter.

Download and build our nginx package

We are going to setup our environment to take our new packages and have it build our packages.
    Raspberry Pi package sources list
  1. Type "cd /etc/apt". press Enter. We are going to add the source download location.
  2. Type "sudo nano sources.list". press Enter. We have to add lines here for the source.
  3. On a new line enter these lines.
    •  Type "deb http://nginx.org/packages/debian/ squeeze nginx". press Enter.
    •  Type "deb-src "http://nginx.org/packages/debian/ squeeze nginx"
    • Type "ctrl+o then ctrl+x to save the file.
    Download nginx source code
  4. Type "cd /tmp". press Enter. We are moving into our root temp directory to build our packages in.
  5. Type "sudo apt-get build-dep nginx". press Enter. This will download all dependencies for nginx.
  6. Type "sudo apt-get source nginx". press Enter. This will download the source for nginx.
  7. Compile nginx 1.4.1 source code for Raspberry Pi
  8. Type "cd /tmp/nginx-1.4.1 && sudo dpkg-buildpackage -uc -b". press Enter. This process will take a seriously long time. It is building the full install package.
We have now completed our download and compiled our package. Time to install the package.

Install our built package

We have now come a long way to get exactly what you need to get a current version of nginx build for your Raspberry Pi. Lets finish the with a quick install.
  1. Stop the exiting service! Type "sudo service nginx stop". press Enter.
  2. Remove previous package nginx if it exists Type "sudo apt-get remove nginx". press Enter
  3. Review the data in the package Type "dpkg-deb -I /tmp/nginx_1.4.1-1~squeeze_armhf.deb". press Enter.
  4. To instal the package Type "sudo dpkg -i /tmp/nginx_1.4.1-1~squeeze_armhf.deb". press Enter (If this fails see the known issues section.)
  5. Type "sudo reboot"
FYI. The location to the index.html file is "/usr/share/nginx/www"

Raspberry Pi nginx 1.4.1 Installed

Known Issues

Fail to install stating previous install files still exist.
  1. The not so graceful way Type "sudo dpkg -i --force-overwrite /tmp/nginx_1.4.1-1~squeeze_armhf.deb"