I believe that the UMass IT policy forbids “rogue” WiFi gateways in order to prevent anonymous Internet access, so that nefarious actors can be identified.
I needed to create an IoT server for my lab, M5, and it needed to be accessible via WiFi. It also needed to have Internet access so that I could keep its Linux firmware up to date.
Securing it in accordance with the IT policy, and preventing tampering, required several actions:
- disable forwarding of anything coming in from the WiFi port wlan0 to the ethernet port eth0
- limit the user accounts to the minimum necessary
- secure the privileged account “pi” by changing its password
- disable remote root account login
I will address the first and the last of these actions.
Disabling of forwarding between the WiFi port and the ethernet port
There is a baffling mechanism called “iptables” that routes packets between the local host and its various network ports. Luckily, I had to deal only with the FORWARD chain. I simply had to flush the current rules out of the FORWARD chain
sudo iptables -F FORWARD
and add the one to reject forwarding:
sudo iptables -A FORWARD -i wlan0 -o eth0 -j DROP
Once the changes are made, they are made permanent by saving the tables into a rules file that is consulted at boot time:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
Disabling of remote root account login
Edit ( with root ) the file /etc/ssh/sshd_config and put the line
PermitRootLogin no
References:
- Wikipedia has good articles on iptables and on masquerading
- Some good Linux references: IPCHAINS-HOWTO and IP-Masquerade-HOWTO
- A good reference regarding securing a Raspbian Linux distribution, likely useful for any Linux system