Bridge Firewall With OrangePi R1




Posted in TechnologyRaspberry-pi

Introduction: Bridge Firewall With OrangePi R1

I had to buy another Orange Pi :) This was because my SIP phone began to ring in the middle of night from strange numbers and my VoIP provider sugested that was due to port scans. Another reason - I had heard too often about routers being hacked, and I have a router I am not allowed to administer (Altibox/Norway). I was also curious what was going on in my home network. So I decided to set up a bridge-firewall, transparent to TCP/IP home network. I tested it with a PC, then I decided to buy OPi R1 - less noise & less power consumption. If you have your own reason to have such a hardware firewall - that is easier than you think! Don't forget to buy a heat sink and a decent micro SD card.

Step 1: OS & Cabling

I installed Armbian:

As you have maybe noticed I used USB TTL converter to have access to serial console, which was not necessary, the default network config assumes DHCP.

The only comment to the converter - in many tutorials no VCC connection is suggested. For me it worked only when power supply was connected (3.3V is the only square pin out on the board). And it was going to overheat if not connected to USB before power supply was switched on. I guess R1 has pinout compatible with OPi Zero, I have troubles with finding R1 schematics.

After booting Armbian, changing root password and some update/upgrade stuff I found two interfaces ('ifconfig -a') - eth0 and enxc0742bfffc6e. Check it because you will need them now - the most awesome thing is that to turn your R1 to a Ethernet bridge you only need to adjust /etc/network/interfaces file. I was emazed that Armbian comes with some preconfigured versions of the file including interfaces.r1switch - sounds like what we need but it does not work.

Another important thing was proper identification of Ethernet ports - enxc0742bfffc6e was the one near serial pins.

Before you make the R1 lose contact with Internet (OK, this could have been configured better) just install one thing:

sudo apt-get install iptables-persistent

Step 2: /etc/network/interfaces

If you switch you local network to eth0 than you need the following interfaces file (you can always get back to orig version with sudo cp interfaces.default interfaces; reboot):

auto br0
iface br0 inet manual

bridge_ports eth0 enxc0742bfffc6e

bridge_stp off

bridge_fd 0

bridge_maxwait 0

bridge_maxage 0

Step 3: Iptables

After reboot your R1 should be transparent to the network and work like a cable connector. Now let us make life more difficult for the bad guys out there - configure firewalls rules (hashed lines are comments; adjust network addresses to your DHCP configuration! ):

# flash all and close doors

iptables -F
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

# but allow internal network to go outside

iptables -A INPUT -m physdev --physdev-is-bridged --physdev-in eth0 -s -j ACCEPT

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 -s -j ACCEPT

# allow DHCP to go thru bridge

iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -A FORWARD -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# all established traffic should be forwarded

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# just for local browser - access to monitoring tools like darkstat

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

#block spoofing

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s -m limit --limit 5/min -j LOG --log-level 7 --log-prefix NETFILTER

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s -j REJECT

Step 4: Final Considerations

After a week - it works perfectly. The only thing I will make up (and submit here) is network monitoring and access via ssh. I repeat - changing interfaces file to the content I have attached will detach the R1 device from IP network - only serial will work.



    • Spotless Contest

      Spotless Contest
    • Trash to Treasure

      Trash to Treasure
    • Microcontroller Contest

      Microcontroller Contest

    We have a be nice policy.
    Please be positive and constructive.




    Here is my question: eth0 ethernet unmanaged.

    My OS "Armbian_5.38_Orangepi-r1_Debian_stretch_next_4.14.14"

    Did you know why and how to fix it. thank