Protect your network with a Pi-based firewall
Turn your Pi into an ultra-secure access point complete with firewall to protect your computer from the dark side of the internet.
You may remember that, in December 2016, the media reported that the infamous Mirai worm had infected a substantial number of routers used by customers of UK ISP TalkTalk, stealing their Wi-Fi passwords. The worm exploited the default admin passwords that are hardwired into a number of machines, and although the focus was on enslaving devices to take part in DoS (Denial of Service) attacks, the implications are staggering. Even those handful of users who take the trouble to change their router’s default passwords seldom bother to use firewalls.
In plain English, this means your router’s settings, and theoretically devices on your home wireless network, could be laid bare by attackers. Fortunately the Raspberry Pi comes to the rescue once again. We’ll show you how.
This project can be roughly divided into two parts. The first is to set up your Pi as a wireless AP (access point). In other words, the Pi itself will create a wireless network for you to connect to. The Pi can then be connected to your router, so that anyone connected to its wireless network can continue to access the internet.
The second part of this project involves installing an easy-to-use firewall on your Pi which will block any open ports that attackers can exploit. You can also configure the firewall to allow access to legitimate programs, as well as block any websites you think are unsafe. Provided you have the correct equipment, you can have your own secure AP with firewall up and running in under 20 minutes.
THE BARE NECESSITIES
The wireless device you use must be compatible with hostapd (more about this shortly). This project is technically compatible with all models of Pi, although the Pi needs to be both wireless-enabled and have an Ethernet port to connect to your router. The Raspberry Pi 3 lends itself very well to this. Setup if at all possible should be done using a keyboard and monitor rather than SSH as once the Pi has created its own AP, you won’t be able to connect to it wirelessly. You can, however, connect to it through your router’s wireless network if you know the IP address.
If you prefer the compact Pi Zero, make sure you have both a USB OTG Host cable or a USB-to-MicroUSB OTG shim (available from all Pi accessory suppliers). You’ll also need an RJ45-toUSB converter to attach to the USB port. You’ll then be able to connect the Pi Zero to your router.
In addition to the Pi itself, you’ll need a secondary device to check that the wireless AP is functioning correctly, as well as a network cable to link the Pi
to the router. Most modern routers have at least one USB port, so you should be able to power the Pi from there.
For security reasons and to save on resources, it’s best to have a dedicated Pi for your home firewall, rather than one that you might use for other purposes in addition. If at all possible, plug your Pi into a monitor and work from Terminal directly when going through this project rather than connect via SSH. This reduces the chance that your connection will drop at a vital stage in the proceedings.
As always, it’s best to start with a clean install of the latest version of Raspbian on the Pi. Once the install is complete, open Terminal and run the following commands to be certain your system is fully up to date: sudo apt-get update sudo apt-get upgrade
If you do not have access to a monitor, you can connect to the Pi wirelessly through your router’s Wi-Fi network via SSH. Connect your Pi to the router via Ethernet cable first. If you have a mobile device, the handy app Fing can be used to easily identify the IP address of all devices on your local network. Fing is available to download free of charge from both the iOS App Store and Google Play.
Once you’re satisfied that the AP is working as you’d like, make sure to disable the wireless function on your router to prevent people from connecting to it instead of the Pi firewall.
TALKING POINTS
The access point is set up and managed by the handy program hostapd. Step 3 of our guide on page 97 covers creating a configuration file wherein you’ll specify the settings for the Pi’s new wireless network such as name, password and encryption type used. You can return to this hostapd.conf file at any time to change your settings if you wish.
While every wireless card can connect you to a Wi-Fi network, not all Wi-Fi cards can generate their own wireless networks. Fortunately, the Wi-Fi module built into the Raspberry Pi 3 does support this feature, which is a good reason to consider using one for your firewall.
We’ll also install the devilishly clever program dnsmasq to handle the network infrastructure. It also draws its settings from a small configuration file, which you will set up in Step 4. The suggested settings have dnsmasq use Google for its DNS server (8.8.8.8) but you can change this to another DNS provider if you wish, such as OpenDNS (208.67.222.222). For best performance, you may want to list more than one DNS server. To do this, simply add a new line for this in the dnsmasq.conf file, for example server=208.67.222.222 server=208.67.222.220
UNCOMPLICATED FIREWALL
Ufw (Uncomplicated Firewall) comes bundled with a number of Linux distros and, true to its name, is very simple to use. It is by no means the only firewall program out there — in fact, there are entire distributions of Linux such as IPFire in the wild which are specifically designed to act as a gateway between your computer and the internet, complete with colourful windows. Why then use a rather mundane command line application?
Aside from the fact that Ufw has withstood the test of time, it’s very easy to install and set up. Once enabled, it will launch automatically. By default it will block all incoming connections and allow all outward ones. This can be a nuisance if you and other users on your network want to use certain applications like BitTorrent or Skype, but fortunately, configuring exceptions to these rules is easy. Ufw also has a graphical companion for those who are still not entirely comfortable with the command line. See Configuring your Firewall, below, for more information.
Ufw also has the ability to block connections to specific IP addresses or ranges, so you can prevent network users from visiting certain websites — see Domain Denial back over the page).
Although Ufw can be used to block individual websites, any web pages that do load will display banner advertisements and pop-ups. By far the easiest way to deal with these is for you and other users on your network to install browser extensions such as Ublock Origin and Ghostery to prevent both adverts and tracking cookies. Mobile users can also benefit from the official Adblock Browser.
If this isn’t feasible, you can remove the Pi’s default DHCP (Dynamic Host Configuration Protocol) server and configure dnsmasq in its place to automatically redirect known ad servers to an internal IP address. By default, this will create ugly blank spaces in the middle of your web pages, but you can solve this by also installing the handy app pixelserv. Pixelserv’s sole purpose in life is to support ad-blocking via serving a transparent 1x1 pixel GIF image in place of adverts. This makes your ad-blocking a much tidier experience.
If you’re interested in adding an ad-blocking feature to the Pi, a tutorial is available on the Adafruit website: learn.adafruit.com/raspberry-pi-as-an-adblocking-access-point