I had a Raspberry Pi 2B as a firewall/gateway between my home LAN and my ISP, and it had been running since about 2017. I have a lot of things on my LAN that I do NOT want accessing the Internet. Everything on the LAN has a fixed IP addres (IPv4).
About 4 weeks ago, I went in to add another address to the iptables for my new RPi 5, and got a rude surprise -- the microSD card in the 2B had failed. I tried fsck with no luck, so I started looking around. I ended up downloading the "full" 32-bit version of Bookworm from raspberrypi.com and putting it onto a new microSD card. The 2B seems to work, but I've gotten nowhere in trying to get the firewall/gateway function to work. I did connect (briefly) using a "spare" WiFi router connected to the ISP, so was able to use APT to get iptables and dnsmasq installed.
Normally, eth0 connects to the LAN and eth1 (an Ethernet dongle) connects to the cable modem from the ISP. The RPi 2 has 192.168.0.1 on eth0, and the address for eth1 is set by the ISP's dhcp.
To set up the iptables I did the following:
and just to verify, the output from iptables-save is:
(I probably should note that after I get it working, I'll add several more IPs to the INPUT list, but for now, there's enough to prove whether or not it's working.)
After spending a lot of time reading, I happened across something in the man page for NetworkManager that suggests I should have a couple more files under /etc/NetworkManager/conf.d
iptables-enable.conf containingand dnsmasq-enable.conf containingand after creating them I did a $sudo nmccli general reload conf
I still can't ping outside addresses (e.g., $ ping -4 -c 3 sparkfun.com) either from the RPi 2 or the (Ubuntu tower) machine at 192.168.0.10.
I really don't want to spend any more time trying to learn NetworkManager when I doubt I spent a grand total of 2 hours on the RPi 2 since I got it working in 2017 until the microSD card failed. I've noted that nftables was supposedly a replacement for iptables, but ALL of the examples I've seen involved allowing only certain ports, and the ISP already blocks too many ports. And all of the examples for NM I've seen seem to be for RPis that have built-in WiFi, which I neither have nor want, and most assume that the gateway is a different machine.
I might should also note that nothing on my LAN has any "externally visible" websites.
I'm hoping that someone can help me. At nearly age 70, I've already learned more about Network Manager than I care to!
About 4 weeks ago, I went in to add another address to the iptables for my new RPi 5, and got a rude surprise -- the microSD card in the 2B had failed. I tried fsck with no luck, so I started looking around. I ended up downloading the "full" 32-bit version of Bookworm from raspberrypi.com and putting it onto a new microSD card. The 2B seems to work, but I've gotten nowhere in trying to get the firewall/gateway function to work. I did connect (briefly) using a "spare" WiFi router connected to the ISP, so was able to use APT to get iptables and dnsmasq installed.
Normally, eth0 connects to the LAN and eth1 (an Ethernet dongle) connects to the cable modem from the ISP. The RPi 2 has 192.168.0.1 on eth0, and the address for eth1 is set by the ISP's dhcp.
To set up the iptables I did the following:
Code:
$ sudo iptables -A INPUT -i lo -j ACCEPT$ sudo iptables -A INPUT -s 192.168.0.1 -j ACCEPT$ sudo iptables -A INPUT -s 192.168.0.10 -j ACCEPT$ sudo iptables -A INPUT -s 192.168.0.15 -j ACCEPT$ sudo iptables -A INPUT -j DROP$ sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESATABLISHED -j ACCEPT$ sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT$ sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADECode:
# Generated by iptables-save v1.8.9 (nf_tables) on Sat Mar 30 14:18:53 2024*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -i lo -j ACCEPT-A INPUT -s 192.168.0.1/32 -j ACCEPT-A INPUT -s 192.168.0.10/32 -j ACCEPT-A INPUT -s 192.168.0.15/32 -j ACCEPT-A INPUT -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPTCOMMIT# Completed on Sat Mar 30 14:18:53 2024# Generated by iptables-save v1.8.9 (nf_tables) on Sat Mar 30 14:18:53 2024*nat:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Sat Mar 30 14:18:53 2024After spending a lot of time reading, I happened across something in the man page for NetworkManager that suggests I should have a couple more files under /etc/NetworkManager/conf.d
iptables-enable.conf containing
Code:
# An additional config to enable iptables[main]firewall-backend=iptablesCode:
# An additional config to enable dnsmasq[main]dns=dnsmasqI still can't ping outside addresses (e.g., $ ping -4 -c 3 sparkfun.com) either from the RPi 2 or the (Ubuntu tower) machine at 192.168.0.10.
I really don't want to spend any more time trying to learn NetworkManager when I doubt I spent a grand total of 2 hours on the RPi 2 since I got it working in 2017 until the microSD card failed. I've noted that nftables was supposedly a replacement for iptables, but ALL of the examples I've seen involved allowing only certain ports, and the ISP already blocks too many ports. And all of the examples for NM I've seen seem to be for RPis that have built-in WiFi, which I neither have nor want, and most assume that the gateway is a different machine.
I might should also note that nothing on my LAN has any "externally visible" websites.
I'm hoping that someone can help me. At nearly age 70, I've already learned more about Network Manager than I care to!
Statistics: Posted by ArizonaPiUser — Mon Apr 01, 2024 1:05 am