A Raspberry PI 2 performs as expected exceptionally well as a firewall. The download throughput achieved was 33 Mbits/sec under the same test conditions as the previous test (see Can A Raspberry PI Be Used As A Firewall? for more details). The CPU usage was about 5% during the download test. The CPU usage was around 2% while performing the upload test.
For the Networking category
Can a Raspberry PI be used as a firewall? This question comes back often. Well, I have tested it. The test conditions are:
- a Raspberry PI Model B (256MB of RAM)
- a USB to Ethernet wired interface. 100 Mbits/sec.
- Raspian (May 2015) as the OS.
- My Internet connection is 30 Mbits/sec. for download, 10 Mbits/sec. for the upload speed.
- www.speedtest.net has been used to carry the speed tests.
The answer is NO. I got a download speed of about 30 MBits/sec. Using a PC as the firewall with a similar setup, I achieved around 32 MBits/sec. While doing the download test, the CPU usage was 100% while being 20% for the upload test. Memory was not an issue with about 165 MB free.
I would certainly use this Raspberry PI as a firewall for an Internet connection of 20-20 Mbits/sec. or less.
A similar test will soon be performed using a Raspberry PI 2.
Setting up an Internet Gateway using Ubuntu is pretty straight forward. In order to do so, you will need:
- A computer with two network interfaces. One hooked to your WAN connection, the other one to your LAN.
- The computer needs Ubuntu installed with a minimum of software installed.
- Copy the script below to your gateway machine in /etc/network/if-up.d/00-my-gateway. Make sure that the script has the execute permission.
- Update the LAN and WAN variables in the script. For example, if eth0 is your WAN interface and eth1 is your LAN interface, then set WAN=eth0 and LAN=eth1.
This script configures the Ubuntu Firewall to forward LAN traffic to the Internet but drops all unsolicited incoming traffic from the Internet. Your network will be stealth. You can use the online tool ShiedlsUP! at https://www.grc.com to test it.
# Delete all existing rules.
iptables -t nat -F
iptables -t mangle -F
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections from the $LAN to the $WAN.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# Enable masquerading.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# No forwarding from the $WAN to the $LAN.
iptables -A FORWARD -i $WAN -o $WAN -j DROP
# Drop everything else from the WAN ... Stealth mode.
iptables -A INPUT -i $WAN -j DROP