Hardening the Natrix Gateway

Aktualisiert8. November 2024

System hardening is the process of securing a server or computer system by minimizing its attack surface, or surface of vulnerability, and potential attack vectors. It’s a form of cyberattack protection that involves closing system loopholes that cyberattackers frequently use to exploit the system and gain access to users’ sensitive data.

Our goal in this project is to deploy the Natrix Gateway with a high cybersecurity confidence. Scripts and configuration files are well commented so people understand why it should be configured that way and help any troubleshooting that may need to occur.

The idea is to have a properly configured system that should perform only the necessary functions required to deliver the services provided by the Gateway. This, in combination with patching security vulnerabilities, vastly decreases the attack surface of the Gateway and therefore the ability for someone to compromise the entire system.

Firewall

The firewall on the Raspberry PI is provided by a service called ‘iptables’. ‘Iptables’ receives its configuration from a file. The rules below provide access for ssh (22) and http (80 and 8080).

# Generated by xtables-save v1.8.2 on Wed Sep 22 14:28:07 2021
*filter

# Flush INPUT/OUTPUT/FORWARD chains
:INPUT DROP [397:50634]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [482:69832]

# Drop invalid packets
-A INPUT -m conntrack –ctstate INVALID -j DROP

# Pass everything on loopback
-A INPUT -™ lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Accept incoming packets for established connections
-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept incoming ICMP
-A INPUT -p icmp -j ACCEPT

# Accept incoming SSH and http on eth0 interface
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 8433 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 1450 -j ACCEPT


# Accept incoming SSH and http on wlan0 interface
-A INPUT -i wlan0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp –dport 1450 -j ACCEPT


# Accept outgoing connections
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Wed Sep 22 14:28:07 2021

The Natrix Gateway stores the rules in /etc/sysconfig/iptables. For any new iptables rule we are adding to the console, we ensure persistence by saving all rules in that file:

iptables-save > /etc/sysconfig/iptables

The rules can be restored this way:

iptables-restore < /etc/sysconfig/iptables

Please be cautious about the direction of ‘<’ and ‘>’ which is different for the save- and restore function.

If you want the firewall to power up after each start of the Natrix Gateway, we need to add an iptables file to the /etc/network/if-pre-up.d/ directory

nano /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/sysconfig/iptables

Finally, change access rights for the iptables file with

chmod +x /etc/network/if-pre-up.d/iptables

After a system restart, we can check the actual applied system rules with iptables -nvL

iptables -nvL

Chain INPUT (policy DROP 252 packets, 36512 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   55  6947 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    1    52 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 48 packets, 6783 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Some additional Raspberry PI Add-Ons

Mosquitto MQTT Broker

Arduino IDE

Hardening the Raspberry PI

Hardening the Natrix Gateway

Firewall