How to Employ Raspberry Pi Firewall

Are you looking for a way to create a Raspberry Pi Firewall for a longer time? If you could not perform it using OpenWRT and Pfsense, then this blog is definitely for you. The Raspberry Pi features a single ethernet socket, which is why it is not possible to create a genuine Firewall on Raspberry Pi. However, one can produce a router having Firewall capabilities. For performing this task, you require installing some software blocks on Pi. Before we dive into details, let’s discuss some basic things!

PS: here is everything about the SMB Ports Firewall and the importance of firewall, as well as all Types of Firewall for your reference.

What is a Router Firewall?

To understand this, you should know what a router and Firewall mean. A router refers to a network gadget that adjoins two networks with one another. If your computer features two or more ethernet ports, while having diverse networks, then it can behave like a router. Then, you will have two networks sharing a connection to a router, 2.0 and 1.0. If there’s a well-configured router, then it enables X and Y to view each other, whereas working on a diverse network.

Raspberry Pi features a single ethernet card. However, users can employ a WiFi card to create another network. Here, you will know how you can connect a WiFi network to an ethernet network. On the other hand, Firewall refers to a kind of software. This software enables users to insert security policies into the router. As stated in the above example, we mentioned that X could ping Y, but cannot access its HTTP server. Here, we will use “iptables” software for this. You can go with other software when it comes to Firewalls depending on your preference.

For creating wireless access and other software for monitoring the network, users have to go through some instructions. Using this, you can even filter some traffic. So, if you like to do this, then keep on following.

Here is my current network:

And I want to turn it like this:

  • Install Raspberry Pi Firewall on your network
  • Allow WiFi access point using a diverse network subnet
  • Build a bridge among two networks
  • Set some Firewall rules and regulations
  • Install other software

Here, we are going to discuss these steps in detail one by one. So, let’s begin with this procedure’s first step.

Besides, you will learn more about Firewall basics, and how to turn off Firewall as well as the full comparison of stateful vs. stateless firewal here.

Install Raspberry Pi Firewall

Initially, you have to install the Raspberry Pi Firewall on your network. For this, follow:

  • Install Raspbian
  • No requirement of the desktop model, except if users like to employ Raspbian for other tasks
  • Plugin Raspberry Pi using an RJ45 cable on the network.
  • It is not compulsory to use static IP addresses, but it could help.
  • After this, update the system using: sudo apt update, sudo apt upgrade, and sudo reboot.
  • Allow SSH by navigating to raspi-config, then Interfacing options, and then sudo raspi-config.

That’s it, and now, it is time to install the router. So, let’s know how to perform router installation.

Also, here are the Mikrotik Firewall rules and the benefits of virtualization for your reference.

Install Wireless Router

It is quite possible for configuring the Raspberry Pi Firewall manually as a WiFi router. However, it is a bit time consuming and complex. For making it easier for you, we are presenting you with a script for the same.

  • This script is available on GitHub. Firstly, you require installing git for downloading this program. For instance, sudo apt install git
  • Switch to a new folder for downloading this program,


git clone

  • Switch to the subdirectory, which is cd RPI-Wireless-Hotspot/
  • Begin the installation process by sudo./install

Now, the script asks a few questions. Once you have answered them, Raspberry Pi reboots for applying the changes. After completing this process, you can employ the Raspberry Pi Firewall as a router. In the network list of WiFi, you will see the apt SSID. After connecting to the server, check everything is functioning fine or not. So, there’s nothing more to the configuration of the network.

Firewall Theory

The main role of the Firewall is basically to allow or block access from particular IP addresses to another. Most of the time, we often employ a port for setting precise permission. In Firewall configurations, there are two basic rules, which are the Blacklist that follows the rule ‘Allow all except…‘ and Whitelist that follows the rule ‘Deny all except…

So, choose the one according to what you like to perform with the Raspberry Pi’s router. If at home, it is best to go with the first one, where you can block several things such as particular IP addresses. At work, go with the other one, where you can prohibit everything except what’s permitted.

In, Out, and Forward

It is an easier program, where one can create several rules in just three directions. These three directions are:

  • Input: Packets of the network that comes into your Firewall
  • Output: Packets that go out from your Firewall
  • Forward: Packets that go through your Firewall

When using a hosted web server, one can block everything in input, excluding HTTPS and HTTP. However, in output, it does not matter what the server does on the internet. Here, we will be using Forward rules as there’s not much on Raspberry Pi Firewall. Thus, there’s no point in protecting it.

Raspberry Pi Firewall Configuration

Users who like can add a Firewall to their router for filtering the traffic. If working at home, it is not quite significant. However, it is mandatory for a public area or company.


For Raspbian, there are various Firewall packages present, such as UFW or IPTables. OpenWRT is also there, which is the Raspberry Pi distribution for creating a Firewall. IPTables is installed on the Raspberry Pi.

Examine the Present Configuration

Prior to adding rules, it is better to examine the present configuration. For doing so, employ the command as ‘sudo iptables – L.’ The GitHub script adds basic rules into the Forward section for enabling forwarding. One can employ this command for checking if the rules that you have added recently correspond to your preferences.

Insert the Forward rule

Each network is diverse, and thus, every Raspberry Pi Firewall table of rules is diverse too. Here’s an entire syntax for adding particular rules in an environment.

  • Reset the IPTables configuration

For this, add sudo iptables – F. The order is significant, where the router accepts everything. Thus, we are unable to block particular connections.

  • Add the DROP rule

Use the command iptables – A FORWARD – p tcp – dport 80 – j DROP. The command explains that:

(-A) for adding a new rule

(FORWARD) for using in the forward part

(-p tcp) for using the tcp protocol

(-dport 80) for using the HTTP port

(DROP) for dropping everything, which is a timeout connection.

Now, check if the connection is working. To do this, make a connection with the WiFi router. For removing a rule, users need to employ IPTables -F. Or use a similar command having a -D operator in place of -A.

Iptables -D FORWARD -p tcp –dport 80 -j DROP

This command allows users to remove a particular rule and, therefore, not all the rules as the case with -F.

Iptables Command Syntax

For creating the Raspberry Pi Firewall rules, one can use the similar command templates. To perform this action, follow the template as:

Iptables -<operation> <direction> -p <protocol> – -dport <port> -j <action>


  • -F: remove, flush all rules that require no parameters
  • -A: add, append a new rule
  • -D: remove, delete a current rule




Mainly udp or tcp


The number of ports that you like to build the rule.


Make a choice for making the conforming traffic. ACCEPT allows access in the whitelist mode. REJECT denies access and tells senders what’s not permitted. DROP denies access however, does not tell senders.

Switch to Whitelist

Users who are being in a strict environment, then shift to whitelist mode. For performing this action, they have to produce a line of ports. The easiest method to produce a script is to run all the commands at one time. For this, you can download a DNS forwarder on Raspberry Pi. Next, employ the same for answering DNS requests.

  • Download Bind (DNS server package)

sudo apt install bind9
  • Backup the configuration

sudo mv /etc/bind/named.conf.options/etc/bind/named.conf.options

Now, paste the lines as:

Acl “localnetwork” {;;};
options {directory “/var/cache/bind”;
forwarders {;};
allow-query {localnetwork;};
dnssec – validation auto;
auth-nxdomain no;
listen-on-v6 {any;};

It is a typical configuration. One can use OpenDNS for sending DNS queries received on Raspberry Pi to it.

  • Save and Exit (CTRL+O, CTRL+X)
  • Restart Bind by following sudo service bind9 restart
  • Edit DNS Servers present in the DHCP, sudo nano/etc/udhcpd.conf
  • Change the line, opt dns
  • Restart DHCP Server by sudo service udhcp restart

Now, reconnect the device and see if everything is running fine.

Build the Raspberry Pi Firewall Script

  • Make a file having nano

Nano / usr/local/bin/
  • Paste the lines as:
#Clear all rules
Iptables -F
#Whitelist mode
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
#Allow PING for everyone
iptables -A FORWARD -p icmp -j ACCEPT
#Allow HTTP/HTTPS for WiFi clients
iptables -A FORWARD -p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -p tcp –dport 443 -j ACCEPT
#Allow POP/IMAP/SMTP for WiFi clients
iptables -A FORWARD -p tcp –dport 25 -j ACCEPT
iptables -A FORWARD -p tcp –dport 110 -j ACCEPT
iptables -A FORWARD -p tcp –dport 993 -j ACCEPT
#Allow PING for WiFi clients
iptables -A FORWARD -p icmp -j ACCEPT

Users can make amendments to this command as per their preference. Now, you can add executive right to it by “sudo chmod +x” and now, run it by “sudo /usr/local/bin/” If something is not right, you can reboot the Raspberry Pi Firewall for recovering all access.

Make a persistent configuration

The script employs the command “file/etc/iptables.ipv4.nat” for saving the configuration. If it is working, then save the present configuration inside as:

sudo iptables – save>/etc/iptables/ipv4.nat

By doing so, this will upload the file and will apply the changes directly.

Network Monitoring

If the Raspberry Pi Firewall is working fine, then you can add some packages for improving the Raspbian capabilities. To add a web interface, you can monitor what occurs on the network. For this, you can use Webmin, which is a web interface. Download the recent version and route the setup. Now, set a passcode and select if you like to employ SSL.

Websites and Proxy Filter

Here, we are installing Squid as the proxy as well as SquidGuard as the filter for the Raspberry Pi Firewall. For installing Squid, follow “sudo apt install squid” and back up the file with “cd/ etc/ squid sudo mv squid.conf squid.conf.old“. Now, switch to the user and eliminate all comments with “sudo su

Cat squid.conf.old | egrep -v -e ‘^[[:blank:]]*#|^“.

You have to add the lines at the opening as:

acl LocalNet src
http access allow LocalNet

Now, restart Squid for applying changes with “sudo systemct1 restart squid.”

After the configuration of Squid, there are two choices, first, as to employ the Raspberry Pi Firewall as HTTP Proxy by configuring the web browser. The other one is to redirect all the HTTP traffic automatically to Squid.

Installation of SquidGuard

Now, it is time to install SquidGuard by “sudo apt install squidguard.” Download the website list by category and extract the archive files. When extracting, users can view blacklist categories on the screen. Select one and employ the same for the configuration of SquidGuard. Shift files to this folder and archive the SquidGuard configuration. Next, build a configuration file and paste the following lines:

Dbhome /var/lib/squidguard/db logdir /var/log/squidguard dest
violence {
domainlist blacklists/violence/domains
urllist blacklists/violence/urls
log violenceaccess
ac1 {
Pass !violence
redirect http://localhost/block.html
Make changes if you want any and then save and depart (CTRL + O, CTRL + X). Now, create the database and restart Squid for applying changes by following the “sudo service squid restart.” Now, try accessing the URLs from the domain’s list and examine if SquidGuard has blocked you or not.

So, this is how to create the Raspberry Pi Firewall. Now, you have a piece of complete knowledge on building up the Firewall router using a proxy on Raspberry Pi.