Linux Firewall: Router Security Boost

TL;DR

Putting your home router behind a Linux firewall (like iptables or nftables) adds an extra layer of security. It protects against attacks targeting vulnerabilities in your router’s software, offers more control over network traffic, and can block unwanted connections.

Why Use a Linux Firewall?

Home routers are often the weakest link in home networks. They receive automatic updates less frequently than other devices, and their security features can be limited. A Linux firewall acts as a shield, inspecting all incoming and outgoing traffic before it reaches your router.

Setting Up Your Linux Firewall

1. Choose a Linux Distribution: Distributions like Ubuntu Server, Debian, or Fedora Server are good choices. They’re free and have large communities for support.
2. Install Linux: Install the chosen distribution on a dedicated machine (an old computer is fine) or in a virtual machine. Ensure it has at least two network interfaces – one connected to your modem and one to your router/switch.
3. Network Configuration: Configure the network interfaces:
   • Interface 1 (WAN): Connects to your internet modem. Assign a static IP address from your ISP’s range, or use DHCP if provided by your ISP.
   • Interface 2 (LAN): Connects to your router/switch. Assign a static IP address within a private network range (e.g., 192.168.1.1). This will be the gateway for devices on your home network.
4. Enable IP Forwarding: Allow the Linux machine to forward packets between interfaces. Edit /etc/sysctl.conf and uncomment or add the following line:

   net.ipv4.ip_forward=1

   Then, apply the change with:

   sudo sysctl -p

5. Configure iptables (or nftables): This is where you define your firewall rules.
   • Basic Rule Set (iptables example):

     sudo iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

     sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

     sudo iptables -A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-host-prohibited

     Replace eth0 with your WAN interface and eth1 with your LAN interface.

   • nftables (alternative to iptables): nftables is the modern replacement for iptables. Configuration is different, but offers more flexibility. See distribution documentation for examples.
6. Masquerading/NAT: Enable Network Address Translation (NAT) so devices on your LAN can access the internet through a single public IP address.

   sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

7. Save Firewall Rules: Save the rules to ensure they persist after reboot. The method varies by distribution:
   • iptables: Use iptables-save > /etc/iptables/rules.v4 and configure a script to load them on boot.
   • nftables: Rules are typically saved automatically in configuration files.

Benefits

• Enhanced Security: Protects against attacks targeting router vulnerabilities.
• Granular Control: Allows you to block specific ports, IP addresses, or types of traffic.
• Traffic Monitoring: You can log and monitor network activity for suspicious behavior.
• VPN Server: Easily set up a VPN server on the Linux machine for secure remote access.

Important Considerations

• Complexity: Configuring a firewall requires some technical knowledge.
• Maintenance: You’ll need to keep the Linux system updated and maintain the firewall rules.
• Performance: A poorly configured firewall can impact network performance, although this is usually minimal with modern hardware.