Introduction: Bridge Firewall With OrangePi R1
I had to buy another Orange Pi :) This was because my SIP phone began to ring in the middle of night from strange numbers and my VoIP provider sugested that was due to port scans. Another reason - I had heard too often about routers being hacked, and I have a router I am not allowed to administer (Altibox/Norway). I was also curious what was going on in my home network. So I decided to set up a bridge-firewall, transparent to TCP/IP home network. I tested it with a PC, then I decided to buy OPi R1 - less noise & less power consumption. If you have your own reason to have such a hardware firewall - that is easier than you think! Don't forget to buy a heat sink and a decent micro SD card.
Step 1: OS & Cabling
I installed Armbian: https://www.armbian.com/orange-pi-r1/
As you have maybe noticed I used USB TTL converter to have access to serial console, which was not necessary, the default network config assumes DHCP.
The only comment to the converter - in many tutorials no VCC connection is suggested. For me it worked only when power supply was connected (3.3V is the only square pin out on the board). And it was going to overheat if not connected to USB before power supply was switched on. I guess R1 has pinout compatible with OPi Zero, I have troubles with finding R1 schematics.
After booting Armbian, changing root password and some update/upgrade stuff I found two interfaces ('ifconfig -a') - eth0 and enxc0742bfffc6e. Check it because you will need them now - the most awesome thing is that to turn your R1 to a Ethernet bridge you only need to adjust /etc/network/interfaces file. I was emazed that Armbian comes with some preconfigured versions of the file including interfaces.r1switch - sounds like what we need but it does not work.
Another important thing was proper identification of Ethernet ports - enxc0742bfffc6e was the one near serial pins.
Before you make the R1 lose contact with Internet (OK, this could have been configured better) just install one thing:
sudo apt-get install iptables-persistent
Step 2: /etc/network/interfaces
If you switch you local network to eth0 than you need the following interfaces file (you can always get back to orig version with sudo cp interfaces.default interfaces; reboot):
iface br0 inet manual
bridge_ports eth0 enxc0742bfffc6e
Step 3: Iptables
After reboot your R1 should be transparent to the network and work like a cable connector. Now let us make life more difficult for the bad guys out there - configure firewalls rules (hashed lines are comments; adjust network addresses to your DHCP configuration! ):
# flash all and close doors
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# but allow internal network to go outside
iptables -A INPUT -m physdev --physdev-is-bridged --physdev-in eth0 -s 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 -s 192.168.10.0/24 -j ACCEPT
# allow DHCP to go thru bridge
iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A FORWARD -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# all established traffic should be forwarded
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# just for local browser - access to monitoring tools like darkstat
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s 192.168.10.0/24 -m limit --limit 5/min -j LOG --log-level 7 --log-prefix NETFILTER
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s 192.168.10.0/24 -j REJECT
Step 4: Final Considerations
After a week - it works perfectly. The only thing I will make up (and submit here) is network monitoring and access via ssh. I repeat - changing interfaces file to the content I have attached will detach the R1 device from IP network - only serial will work.
June 6th 2018: bridging is not that much work to do but R1 emits a lot of heat, way too much. A simple heat sink gets very hot - strange & I don't like it. Maybe it is ok, maybe someone has a solution other than a fan.
BTW - I have managed to connect to my home WLAN but R1 has not received any IP via DHCP, static assignment deos not work either. That was my first attempt to have an administrative interface, other than a serial one. Another idea is to still have an IP assigned to one of the ethernet ports. I will get back to this in a few months.