Maybe you think "Why should I protect my pivate network? I've got no critical information on my computer, no sensitive data". Are your emails really public? Don't you have some photos you don't want to upload to Facebook, because they're private. Do you really don't care if you computer is hijacked and used to attack other PCs or act as a spam server?

I don't think you're so careless but maybe you thInk, that setting up a secure network environment is expensive and really difficult. Don't be afraid in this article we will see how to create a network gateway with a firewall, DHCP and DNS server, and a Network Intrusion Detection System (NIDS), entirely based on a Raspberry Pi. 

After this instructable we will have a small security system with the following features:

- Enforce network traffic policies
- Ensure that abnormal packets does not get out or in our network
- DHCP server to distribute network parameters to your LAN
- DNS cache/server to speed up DNS requests and filter out bad DNS queries
- NIDS to detect malicious traffic, such as malware or vulnerability exploits
- Central network monitoring node to watch and debug network traffic

Some may now say "Hey wait, the Raspberry hs only one network port, how should this act as a gateway?". This is done by a small trick. Of course you could buy an USB to ethernet device to get a second network card. But to keep it as simple as possible we just use the Raspi as our gateway, this works really nice. Traffic flows in both ways trought it. Of course it requires some additional configuration, but it's not a problem.

Step 1: Parts

To make our security system we need:

- A Raspberry Pi
- An SD card, I took a class 6 SD Card with 8 GB, 4 should be enough. Be careful with class 10 types, many of them cause
  problems with the Raspberry!
- An Ethernet cable
- A micro-usb power cable
- An Archlinux ARM image. As we don't need any graphical interface, and as the NIDS part will require much of the ressources, we
  need a lightweight one with a barebone terminal. So ArchLinux ARM is the best choice for this project.
- Win32DiskManager software
- An USB keyboard (during the time of installation)

During the setup we need a display. Maybe you connect your Raspberry to a TV screen or to a monitor, which is what I prefer. After the basic setup you won't need it any longer becaue we'll remotely access our Raspi via the network

<p>Before I get started - what I don't understand...<br>Don't we usually need a 2nd Lan Adapter in order to act as a firewall?<br><br>1. Does that mean the the WLAN (port) us used as 2nd interface internal home network?<br> ... and if Yes:<br> a. Is the WLAN port fast enough to replace a current WLAN router?</p><p> b. What would I do, if I have to use my providers router for IP TV communication?<br><br>2. Or is Inbound and Outbound traffic both over the same LAN adapter?<br>... and if Yes:</p><p>a. Isn't that a bottle neck?<br> b. Would it then just hand on a Switch with Modem configured to only <br>communicate with the RPi and an existing WLAN-router also configured <br>only communicating with the RPi?</p>
<p>I flagged this article as &quot;Inappropriate&quot; because I believe it came from </p><p>http://networkfilter.blogspot.de/2012/08/building-your-piwall-gateway-firewall.html</p>
<p>Nope, had a look at your article, this is updated and also, not the same images and not the same text ... you need to calm that flagging finger down and read articles properly before you throw slander about.</p>
I obviously wouldn't have flagged it had the content not been so similar. Perhaps it is you who should re-read the article before commenting.
<p>Could you provide an updated version for the new version of Arch ? (3.12 i believe)</p><p>I am attempting to follow this tutorial however some files(rc.conf) do not exist or some commands are not recognised.</p>
<p>yap we need an update for this useful post </p>
<p>When i run pacman it says command not found, but it did apt-get install pacman and it just installed the game i guess.</p>
<p>Is this step necessary if I can the 0p2 partition is 6gbs? </p>
<p>Can you please explain how this connects physically to the network? Is it connected on one of the router ports? Is it between the modem and router? Please explain. Thanks.</p>
<p>Nice! Here's an example of what you can do once you've built a Pi with snort: http://dnlongen.blogspot.com/snort-dns</p>
<p>This article is a nearly complete copy/past of mine (written 16 August 2012) <a href="http://networkfilter.blogspot.de/2012/08/building-your-piwall-gateway-firewall.html" rel="nofollow">http://networkfilter.blogspot.de/2012/08/building-...</a></p><p>Proper credits should be given at the begining of the article. Thanks.</p>
<p>Hello. I want to make a final project to create a firewall raspbrry pi.</p><p>can anyone help me by giving video want ways of making .. step by step.</p>
<p>There's a lot of useful information in here. However, a Snort sensor needs at least two interface. One standard interface for management or back-end connections (such as SSH, sending data to an SIEM, etc) and then the &quot;sniffer&quot; or promiscuous-mode interface. I believe with the Pi, to make this effective, you'd need to use a wifi adapter and set that up as your management interface and use the eth0 interface for the packet sniffing. Just my 2 cents. I'm using this to get Snort installed on Pi/Archlinux and going from there...</p>
Could you elaborate a bit on the statement &quot;Be careful with class 10 types, many of them cause problems with the Raspberry!&quot;? We've been doing some research online regarding the best SD cards to use, and before running across your statement, the consensus seemed to us to be simply &quot;the faster, the better&quot;. I haven't run across any other information regarding specific problems with any classes.
Hi. <br>I am not able to understand exactly how it works. <br>Does it means all the internal network have the RSS as their gateway ( and the RSS has the router as its gateway (i.e because there is only one network card? <br>pls, could you add a viso or similar with the final map? <br>thank you and good instructable.
Are there any news regarding the use of systemd in ArchLinux? I tried to follow this tutorial but since rc.conf is not existing anymore I'm stuck now with my network settings.
How to set a statis IP: http://dougbtv.com/?p=281
The current ArchLinux for RPi download uses systemd, so your instructions on setting up a static IP address won't work. Only problem I see is that I can't find instructions on doing that ANYWHERE! You wouldn't happen to know how to go about configuring a static IP address under the current ArchLinux distro, would you?
Thx for the feedback. I'll test it this weekend with the new version android add the information.
I think Arch is a better choice for things like this, because of it's smaller footprint, and lack of a gui by default. But i just can't get the Static IP working under the latest image, and I can't find it anywhere. I'm really looking forward to your update. If you don't make a dedicated instructable on how to set the static IP, I might if your updated instructions work.

About This Instructable




Bio: I love to hack things or make new ones.
More by fNX:Learning Arduino basics the easy way - Part 01 "Blink" or "The Internet" Raspberry Pi Firewall and Intrusion Detection System Raspberry Pi Tor relay 
Add instructable to: