Monthly Archives: May 2013

Raspberry Pi Firewall with iptables

I recently ordered a Raspberry Pi kit from Adafruit with the goal of making a motion detector.  However, after receiving it, I started to think about other uses for the board.  Specifically, I’d like to get asterisk with an external ATA to PSTN working (that’s a story for another day) and also get a firewall running on it.  Granted, this will end up being multiple Pis but for now it’s all more proof of concept.

The first challenge, which shouldn’t have been all that challenging, was getting a valid image onto the SDHC card.  From what I can tell (sha1sum/shasum), the images that I downloaded were corrupt, so no amount of me trying different methods of writing to the card were going to save me.

What I learned:

-Run shasum (Mac) or sha1sum (Linux) right away.  Don’t mess around until you know that the downloaded file is valid.

-Macs put some cruft like .DS_Store, etc, on the card even when writing with dd.   I ended up using ImageWriter in Ubuntu Linux to write the image.

-The USB console connector from Adafruit is worth its weight in gold.  It needs special drivers which is a bummer.  Tip:  Always unplug it from the USB end, even if you’ve unplugged it from the Pi.  I hard locked my Mac when I didn’t do that, though who knows if that was the true cause.

Once I got it to boot, the familiar Debian-based Raspbian operating system made life easy.  However, the next challenge was getting the network working correctly for the firewall.  I have what is apparently a complex setup, at least according to the lack of finding anyone else who does it.  My firewall has one ethernet connection to the Internet, one to the internal network and then one to a DMZ.  All three ethernet ports are connected to different networks.

To accomplish this I’m using two Cisco/Linksys USB200M’s that I had laying around and a Cables To Go powered USB hub.  eth0 is connected to the Internet, eth1 to internal network and eth2 to the DMZ.

What I found:

-The interfaces connected through the USB hub need to have static IPs set in /etc/network/interfaces.  allow-hotplug also seems to be helpful here.

-The lack of console access to the Pi in my server room made this more difficult.  I ordered an HDMI to DVI cable to I could get video for the the Pi into the KVM in the server room.

What I haven’t solved:

-On boot, the USB-based interfaces don’t seem to work at first.  I haven’t yet been able to figure this out but it seems like unplugging them, waiting a few seconds, and then plugging them back in wakes them up.  So far (a whopping 5 hours in) the interfaces haven’t died; if you’re reading this it was posted through the Pi-based firewall running iptables.

 

Debian Upgrade to Wheezy: MySQL & Dovecot Problems

Upgraded to Debian Wheezy last night.  Followed the official upgrade instructions.  Things went generally well and I’m amazed by how well major upgrades go with Debian.  Wheezy is the second major release for this particular server and it had an uptime of 476 days before today’s upgrade.

A couple problems were noted, specifically with the upgrade of the mysql server and dovecot.  Both seem to have breaking changes.  For MySQL, the breaking change is that in MySQL server 5.5 the master-host and other master-* options are no longer supported.  See the MySQL manual for more details.  I commented out the various replication-related options in /etc/mysql/my.cnf for now and will need to fix that quickly.

The other break-change on this computer was with dovecot.  Looks like all of the dovecot options are now split into multiple files in /etc/dovecot/conf.d with the traditional dovecot.conf now being a shell that refers to other files.  For this particular server I needed to change the path to the SSL certificates; now dovecot wants them in the /etc/dovecot hierarchy and I needed to change the mail_location to be Maildir rather than mbox (not sure why that was the new default now) and add mail_privileged_group of mail.  Dovecot’s working now.

Among the fun things that I’ve already discovered is that I can mount a Synology SMB share without “file exists” problems and airprint finally works for me (though we’ll see for how long).

Once I get comfortable with the stability of the new system I’ll begin migrating other, more mission-critical, servers.