Raspberry Pi – iptables for knockd

54 Raspberry Pi – iptables for knockd I’m sure that there are more secure ways to configure iptables, what follows is a basic configuration to get knockd up and running (the guide to which can be found here rel=”noopener” target=”_blank”). All of the below came from following the linked guide at DigitalOcean.

Our iptables configuration will block most traffic, while still allowing local, established, and port 80 connections. Our first rule will allow local traffic which the machine uses to talk to itself

iptables -A INPUT -i lo -j ACCEPT

You’ll notice that the rule is being applied to the INPUT chain, to the lo or loopback interface (where you find local traffic), and has been configured to ACCEPT rather than DENY the traffic.

Next we want to ensure that all established connections and traffic related to them are allowed. I’m a bit hazy on the specifics of what we’re doing in this rule, so I’ll need to look up the particulars later.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This rule is pretty important, because without it we would lose our active SSH connection (which we are presumably using rather than hooking our pi up to a monitor) when we enter our deny all rule. Next, since we have a web service running, we’ll make a rule to ensure that that is accessible.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Pretty straight forward stuff. Now that we know that all traffic we want to allow has been accounted for, we will add our final rule. It’s important to note that as we add each of these rules, they get appended to the bottom of that list. When iptables checks the firewall rules to determine whether or not to allow traffic, it starts at the top of the list and works towards the bottom until it finds a rule that tells it what to do. So if traffic doesn’t match any of the above, iptables will check it against our final rule which will tell it to drop the traffic.

iptables -A INPUT -j DROP

Go ahead and view the rules with the following command

iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
4    DROP       all  --  anywhere             anywhere

This is a useful way to look at them because each rule is in a more orderly format, and has a line number attached. If you ever wanted to delete a rule or insert one at a specific point in the list, you would need to know which line number you needed. With this command, you can easily determine that. An alternative is

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP

Unfortunately, iptables has an annoying tendency to flush your rules on shutdown if you don’t make them persistent. We’ll do this by installing iptables-persistent.

apt install iptables-persistent

At this point, I learned that the service that we need to start is no longer iptables-persistent, but netfilter-persistent. That’s what I get for following a deprecated guide. I don’t know if we could avoid installing iptables-persistent and just install netfilter-persistent, which comes with it, but I’m not going to bother trying to figure it out. It works. So now just start the service and we’re good to go, the rules will remain persistent over power cycles.

service netfilter-persistent start

Save the current rules to persistence:

netfilter-persistence save

With that, we’re ready to move on to setting up knockd.

Raspberry Pi – iptables Script

While we don’t have many rules in our firewall, it can end up being convenient to have a script on-hand so that we can automatically restore the rules that we want. I copied the structure from these guys and filled my own rules in (I left some of their intriguing bits in as comments for the time being).

nano /root/setupFirewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/bash
# Set up iptables baseline

# Flush rules to work from a clean slate
iptables -F

# Set default policies for INPUT, FORWARD, and OUTPUT chains
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT

# Allow access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Add access from other computers on our network
#iptables -A INPUT -s <IP Address 1> -j ACCEPT
#iptables -A INPUT -s <IP Address n> -j ACCEPT

# Open port for HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Deny All
iptables -A INPUT -j DROP

# List iptables chains
iptables -L --line-numbers
chmod 700 /root/setupFirewall.sh

Don’t forget that last bit. Not only does it allow us to execute the script, but probably more importantly it hides our firewall configuration from unauthorized eyes. Again, obscurity is NOT security, but it can help augment security.