Bridge Firewall With OrangePi R1

Introduction: Bridge Firewall With OrangePi R1

I had to buy another Orange Pi :) This was because my SIP phone began to ring in the middle of night from strange numbers and my VoIP provider sugested that was due to port scans. Another reason - I had heard too often about routers being hacked, and I have a router I am not allowed to administer (Altibox/Norway). I was also curious what was going on in my home network. So I decided to set up a bridge-firewall, transparent to TCP/IP home network. I tested it with a PC, then I decided to buy OPi R1 - less noise & less power consumption. If you have your own reason to have such a hardware firewall - that is easier than you think! Don't forget to buy a heat sink and a decent micro SD card.

Step 1: OS & Cabling

I installed Armbian: https://www.armbian.com/orange-pi-r1/

As you have maybe noticed I used USB TTL converter to have access to serial console, which was not necessary, the default network config assumes DHCP. It is also possible to activate WiFi interface with sudo nmtui

The only comment to the converter - in many tutorials no VCC connection is suggested. For me it worked only when power supply was connected (3.3V is the only square pin out on the board). And it was going to overheat if not connected to USB before power supply was switched on. I guess R1 has pinout compatible with OPi Zero, I have troubles with finding R1 schematics.

After booting Armbian, changing root password and some update/upgrade stuff I found two interfaces ('ifconfig -a') - eth0 and enxc0742bfffc6e. Check it because you will need them now - the most awesome thing is that to turn your R1 to a Ethernet bridge you only need to adjust /etc/network/interfaces file. I was emazed that Armbian comes with some preconfigured versions of the file including interfaces.r1switch - sounds like what we need but it does not work.

Another important thing was proper identification of Ethernet ports - enxc0742bfffc6e was the one near serial pins.

Before you make the R1 lose contact with Internet (OK, this could have been configured better) just install one thing:

sudo apt-get install iptables-persistent

Well, you might also want to install some network monitoring tools, see here:

https://www.tecmint.com/linux-network-bandwidth-monitoring-tools/

Step 2: /etc/network/interfaces

If you switch you local network to eth0 than you need the following interfaces file (you can always get back to orig version with sudo cp interfaces.default interfaces; reboot):

auto br0
iface br0 inet manual

bridge_ports eth0 enxc0742bfffc6e

bridge_stp off

bridge_fd 0

bridge_maxwait 0

bridge_maxage 0

Step 3: Iptables

After reboot your R1 should be transparent to the network and work like a cable connector. Now let us make life more difficult for the bad guys out there - configure firewalls rules (hashed lines are comments; adjust network addresses to your DHCP configuration!). It is vital to make rules persistent afterwards with

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

# flash all and close doors

iptables -F
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

# but allow internal network to go outside

iptables -A INPUT -m physdev --physdev-is-bridged --physdev-in eth0 -s 192.168.10.0/24 -j ACCEPT

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 -s 192.168.10.0/24 -j ACCEPT

# allow DHCP to go thru bridge

iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -A FORWARD -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# all established traffic should be forwarded

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# just for local browser - access to monitoring tools like darkstat

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

#block spoofing

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s 192.168.10.0/24 -m limit --limit 5/min -j LOG --log-level 7 --log-prefix NETFILTER

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s 192.168.10.0/24 -j REJECT

# access to ssh via Wifi
iptables -A INPUT -i wlan0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 4: Final Considerations

After a week - it works perfectly.

June 6th 2018: R1 emits a lot of heat, way too much. Maybe it is ok, maybe someone has a solution other than a fan.

Aug 18th 2018: 'armbianmonitor -m' shows 38 Celsius, which is far below my personal perception. I felt a significant change (down) when I reduced the clock a bit:

echo 1000000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

Sep 27th 2021: If you don't have a R1 just use a USB-attached Ethernet card with any other single board computer. I replaced R1 with ASUS Tinker during upgrade.

Be the First to Share

    Recommendations

    • Anything Goes Contest 2021

      Anything Goes Contest 2021
    • Fix It Speed Challenge

      Fix It Speed Challenge
    • Photography Challenge

      Photography Challenge

    12 Comments

    0
    spaolo
    spaolo

    2 years ago

    Great tutorial, thanks!
    One question, related to the board: let say I want to connect the Orange Pi R1 on a daisy chain [lan-in/lan-out>>cable>>lan-in/lan-out>>cable>>lan-in/lan-ot] do you know if I would need crossover cables or can I use straight through cables and the hardware/software does it automatically? Or do I need to instruct them? Many thanks in advance :)

    0
    BoguszJ1
    BoguszJ1

    Reply 2 years ago

    I have no idea. The good news is it won't cost you much or take much time to find the answer :) Take care of its overheating and let me know what the answer was - I think I might need the knowledge. thx :)

    0
    BoguszJ1
    BoguszJ1

    Reply 2 years ago

    Good! Then maybe you would like to write a tutorial for a Pi device? It is sometimes a small, teeny-tiny advice which is a break-thru for many people in trouble ...

    0
    АндрейБ30
    АндрейБ30

    Reply 2 years ago

    I would, just don't know where to start.
    I would help to those who tries, but don't think I can add something to the official docs.
    I think it's not device-specific, rather distro-specific, which can be easy modifiable.
    What kind of distro does Pi have?
    Each of the Shorewall packages contains a set of
    distribution-specific shorewallrc files:
    • shorewallrc.apple (OS X)
    • shorewallrc.archlinux
    • shorewallrc.cygwin (Cygwin running on Windows)
    • shorewallrc.debian (Debian and derivatives)
    • shoreallrc.default (Generic Linux)
    • shorewallrc.redhat (Fedora, RHEL and derivatives)
    • shorewallrc.slackware
    • shorewallrc.suse (SLES and OpenSuSE)
    • shorewallrc.openwrt (OpenWRT)
      http://www.shorewall.net/Install.htm
    0
    BoguszJ1
    BoguszJ1

    Reply 2 years ago

    Start from the beginning :) - you unpacking the board and what's next ? which distro you have used (downloaded from where), and so on. For some people a Pi is the very first meeting with Linux. But no obligation, maybe someone will pick up the idea. I would love to do it myself (thought about eg. https://zeroshell.org/) but I have not had time, so many other projects (non-profit all of them) on my way ...

    0
    АндрейБ30
    АндрейБ30

    Reply 2 years ago

    Well, I don't even have Pi.
    I wrote it because IMO writing iptables rules by hand for practical use is somewhat ridiculous for inexperienced users. It's like writing in assembly nowadays for regular tasks. In the other hand, Shorewall is not for beginners with Linux also..

    I can give you all the support if you ever decide to give it a go :)
    By the way, does https://zeroshell.org/ supports bridging firewall?

    0
    BoguszJ1
    BoguszJ1

    Reply 2 years ago

    about zeroshell - it does, as far as I remember. But there were a few "projects"/manuals (when I was writing my instruction) which addressed this bridging topic. Writing by hand is not what people do, they copy-paste. At least I hope so ;) I will get back to this area in 2021. I hope there will be a better board then, or better distro, my R1+distro tandem is terrible in terms of power management.

    0
    興忠楊
    興忠楊

    Question 3 years ago on Step 2

    Hi,

    Here is my question: eth0 ethernet unmanaged.

    My OS "Armbian_5.38_Orangepi-r1_Debian_stretch_next_4.14.14"

    Did you know why and how to fix it. thank

    0
    warhawk8080
    warhawk8080

    Answer 3 years ago

    run #nmtui for network manager

    0
    BoguszJ1
    BoguszJ1

    Answer 3 years ago

    Type "eth0 ethernet unmanaged" - you will get some hints. That is a question to hardware/OS ;-) BTW - streamer does not seem to be very reliable, I have been working on a replacement, maybe with libuvc.